diff --git a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log index 24de090fe1..7778657771 100644 --- a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log +++ b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log @@ -18,17 +18,17 @@ {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:27Z","query_name":"s3-r-w.us-east-1.amazonaws.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"44474","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:27Z","query_name":"amazonlinux-2-repos-us-east-1.s3.us-east-1.amazonaws.com.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"s3-r-w.us-east-1.amazonaws.com.","Type":"CNAME","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"44474","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:27Z","query_name":"amazonlinux-2-repos-us-east-1.s3.us-east-1.amazonaws.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"s3-r-w.us-east-1.amazonaws.com.","Type":"CNAME","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"44474","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:39Z","query_name":"15.22.21.154.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.160","srcport":"59464","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:39Z","query_name":"156.20.160.89.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.160","srcport":"59464","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2606:4700:f1::1","Type":"AAAA","Class":"IN"},{"Rdata":"2607:f3c8:3803:1::6","Type":"AAAA","Class":"IN"},{"Rdata":"2001:67c:1560:8003::c7","Type":"AAAA","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} | +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:f1::1","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:3803:1::6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:1560:8003::c7","Type":"AAAA","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} | {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"45.63.54.13","Type":"A","Class":"IN"},{"Rdata":"216.229.4.69","Type":"A","Class":"IN"},{"Rdata":"45.79.111.167","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"108.61.73.244","Type":"A","Class":"IN"},{"Rdata":"71.43.215.194","Type":"A","Class":"IN"},{"Rdata":"162.159.200.1","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"216.229.0.50","Type":"A","Class":"IN"},{"Rdata":"192.227.183.3","Type":"A","Class":"IN"},{"Rdata":"162.159.200.1","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:47:41Z","query_name":"37.85.255.92.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.159","srcport":"39685","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"67.43.156.13","Type":"A","Class":"IN"},{"Rdata":"216.160.83.57","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"},{"Rdata":"175.16.199.1","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"},{"Rdata":"175.16.199.1","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:47:41Z","query_name":"143.69.2.81.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.159","srcport":"39685","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:12Z","query_name":"test.example.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"1.128.3.4","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"58350","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:12Z","query_name":"test.example.com.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"38200","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"249.252.85.54.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-54-85-252-249.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"143.69.2.81.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-89.160.20.112.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:33Z","query_name":"abcd.example.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"test.example.com.","Type":"CNAME","Class":"IN"},{"Rdata":"1.128.3.4","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"52785","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} -{"srcaddr":"81.2.69.143","vpc_id":"vpc-7example","answers":[{"Rdata":"203.0.113.9","Type":"PTR","Class":"IN"}],"firewall_rule_group_id":"rslvr-frg-01234567890abcdef","firewall_rule_action":"BLOCK","query_name":"15.3.4.32.in-addr.arpa.","firewall_domain_list_id":"rslvr-fdl-01234567890abcdef","query_class":"IN","srcids":{"instance":"i-0d15cd0d3example"},"rcode":"NOERROR","query_type":"PTR","transport":"UDP","version":"1.100000","account_id":"111122223333","srcport":"56067","query_timestamp":"2021-02-04T17:51:55Z","region":"us-east-1"} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"6.c.f.6.a.9.0.e.2.b.9.a.2.f.1.9.2.0.0.4.d.d.a.0.0.4.f.c.2.0.a.2.ip6.arpa","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-54-85-252-249.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} \ No newline at end of file +{"srcaddr":"81.2.69.143","vpc_id":"vpc-7example","answers":[{"Rdata":"203.0.113.9","Type":"PTR","Class":"IN"}],"firewall_rule_group_id":"rslvr-frg-01234567890abcdef","firewall_rule_action":"BLOCK","query_name":"15.199.16.175.in-addr.arpa.","firewall_domain_list_id":"rslvr-fdl-01234567890abcdef","query_class":"IN","srcids":{"instance":"i-0d15cd0d3example"},"rcode":"NOERROR","query_type":"PTR","transport":"UDP","version":"1.100000","account_id":"111122223333","srcport":"56067","query_timestamp":"2021-02-04T17:51:55Z","region":"us-east-1"} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"6.c.f.6.a.9.0.e.2.b.9.a.2.f.1.9.2.0.0.4.d.d.a.0.0.4.f.c.2.0.a.2.ip6.arpa","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-89.160.20.112.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} \ No newline at end of file diff --git a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json index 63416dc44c..6d177e4798 100644 --- a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json +++ b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json @@ -1278,7 +1278,7 @@ "dns": { "question": { "class": "IN", - "name": "15.22.21.154.in-addr.arpa", + "name": "156.20.160.89.in-addr.arpa", "type": "PTR" }, "response_code": "NXDOMAIN" @@ -1291,7 +1291,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:39Z\",\"query_name\":\"15.22.21.154.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NXDOMAIN\",\"answers\":[],\"srcaddr\":\"172.31.86.160\",\"srcport\":\"59464\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:39Z\",\"query_name\":\"156.20.160.89.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NXDOMAIN\",\"answers\":[],\"srcaddr\":\"172.31.86.160\",\"srcport\":\"59464\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "failure", "type": [ "protocol" @@ -1306,7 +1306,7 @@ "related": { "ip": [ "172.31.86.160", - "154.21.22.15" + "89.160.20.156" ] }, "source": { @@ -1399,17 +1399,17 @@ }, { "class": "IN", - "data": "2606:4700:f1::1", + "data": "2a02:cf40:f1::1", "type": "AAAA" }, { "class": "IN", - "data": "2607:f3c8:3803:1::6", + "data": "2a02:cf40:3803:1::6", "type": "AAAA" }, { "class": "IN", - "data": "2001:67c:1560:8003::c7", + "data": "2a02:cf40:1560:8003::c7", "type": "AAAA" } ], @@ -1431,7 +1431,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"AAAA\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2606:4700:f1::1\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2607:f3c8:3803:1::6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2001:67c:1560:8003::c7\",\"Type\":\"AAAA\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}} |", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"AAAA\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:f1::1\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:3803:1::6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:1560:8003::c7\",\"Type\":\"AAAA\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}} |", "outcome": "success", "type": [ "protocol" @@ -1449,9 +1449,9 @@ ], "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2606:4700:f1::1", - "2607:f3c8:3803:1::6", - "2001:67c:1560:8003::c7", + "2a02:cf40:f1::1", + "2a02:cf40:3803:1::6", + "2a02:cf40:1560:8003::c7", "172.31.86.159" ] }, @@ -1545,17 +1545,17 @@ }, { "class": "IN", - "data": "45.63.54.13", + "data": "67.43.156.13", "type": "A" }, { "class": "IN", - "data": "216.229.4.69", + "data": "216.160.83.57", "type": "A" }, { "class": "IN", - "data": "45.79.111.167", + "data": "216.160.83.61", "type": "A" } ], @@ -1577,7 +1577,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"0.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"45.63.54.13\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.229.4.69\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"45.79.111.167\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"51725\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"0.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.13\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.57\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.61\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"51725\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "success", "type": [ "protocol" @@ -1595,9 +1595,9 @@ ], "ip": [ "81.2.69.143", - "45.63.54.13", - "216.229.4.69", - "45.79.111.167", + "67.43.156.13", + "216.160.83.57", + "216.160.83.61", "172.31.86.159" ] }, @@ -1631,17 +1631,17 @@ }, { "class": "IN", - "data": "108.61.73.244", + "data": "81.2.69.143", "type": "A" }, { "class": "IN", - "data": "71.43.215.194", + "data": "67.43.156.12", "type": "A" }, { "class": "IN", - "data": "162.159.200.1", + "data": "175.16.199.1", "type": "A" } ], @@ -1663,7 +1663,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"1.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"108.61.73.244\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"71.43.215.194\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"162.159.200.1\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"46159\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"1.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"46159\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "success", "type": [ "protocol" @@ -1681,9 +1681,9 @@ ], "ip": [ "175.16.199.1", - "108.61.73.244", - "71.43.215.194", - "162.159.200.1", + "81.2.69.143", + "67.43.156.12", + "175.16.199.1", "172.31.86.159" ] }, @@ -1717,17 +1717,17 @@ }, { "class": "IN", - "data": "216.229.0.50", + "data": "216.160.83.61", "type": "A" }, { "class": "IN", - "data": "192.227.183.3", + "data": "67.43.156.12", "type": "A" }, { "class": "IN", - "data": "162.159.200.1", + "data": "175.16.199.1", "type": "A" } ], @@ -1749,7 +1749,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.229.0.50\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"192.227.183.3\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"162.159.200.1\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.61\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "success", "type": [ "protocol" @@ -1767,9 +1767,9 @@ ], "ip": [ "81.2.69.143", - "216.229.0.50", - "192.227.183.3", - "162.159.200.1", + "216.160.83.61", + "67.43.156.12", + "175.16.199.1", "172.31.86.159" ] }, @@ -1797,7 +1797,7 @@ "dns": { "question": { "class": "IN", - "name": "37.85.255.92.in-addr.arpa", + "name": "143.69.2.81.in-addr.arpa", "type": "PTR" }, "response_code": "NXDOMAIN" @@ -1810,7 +1810,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:47:41Z\",\"query_name\":\"37.85.255.92.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NXDOMAIN\",\"answers\":[],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"39685\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:47:41Z\",\"query_name\":\"143.69.2.81.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NXDOMAIN\",\"answers\":[],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"39685\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "failure", "type": [ "protocol" @@ -1825,7 +1825,7 @@ "related": { "ip": [ "172.31.86.159", - "92.255.85.37" + "81.2.69.143" ] }, "source": { @@ -1989,13 +1989,13 @@ "answers": [ { "class": "IN", - "data": "ec2-54-85-252-249.compute-1.amazonaws.com", + "data": "ec2-89.160.20.112.compute-1.amazonaws.com", "type": "PTR" } ], "question": { "class": "IN", - "name": "249.252.85.54.in-addr.arpa", + "name": "143.69.2.81.in-addr.arpa", "type": "PTR" }, "response_code": "NOERROR" @@ -2008,7 +2008,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:48:30Z\",\"query_name\":\"249.252.85.54.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"ec2-54-85-252-249.compute-1.amazonaws.com.\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"47882\",\"transport\":\"UDP\",\"srcids\":{\"instance\":\"i-079c44232510ca8ff\"}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:48:30Z\",\"query_name\":\"143.69.2.81.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"ec2-89.160.20.112.compute-1.amazonaws.com.\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"47882\",\"transport\":\"UDP\",\"srcids\":{\"instance\":\"i-079c44232510ca8ff\"}}", "outcome": "success", "type": [ "protocol" @@ -2022,11 +2022,11 @@ }, "related": { "hosts": [ - "ec2-54-85-252-249.compute-1.amazonaws.com" + "ec2-89.160.20.112.compute-1.amazonaws.com" ], "ip": [ "172.31.86.159", - "54.85.252.249" + "81.2.69.143" ] }, "source": { @@ -2154,7 +2154,7 @@ ], "question": { "class": "IN", - "name": "15.3.4.32.in-addr.arpa", + "name": "15.199.16.175.in-addr.arpa", "type": "PTR" }, "response_code": "NOERROR" @@ -2167,7 +2167,7 @@ "network" ], "kind": "event", - "original": "{\"srcaddr\":\"81.2.69.143\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"81.2.69.143\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.199.16.175.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "outcome": "success", "type": [ "protocol" @@ -2185,7 +2185,7 @@ ], "ip": [ "81.2.69.143", - "32.4.3.15" + "175.16.199.15" ] }, "source": { @@ -2229,7 +2229,7 @@ "answers": [ { "class": "IN", - "data": "ec2-54-85-252-249.compute-1.amazonaws.com", + "data": "ec2-89.160.20.112.compute-1.amazonaws.com", "type": "PTR" } ], @@ -2248,7 +2248,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:48:30Z\",\"query_name\":\"6.c.f.6.a.9.0.e.2.b.9.a.2.f.1.9.2.0.0.4.d.d.a.0.0.4.f.c.2.0.a.2.ip6.arpa\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"ec2-54-85-252-249.compute-1.amazonaws.com.\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"47882\",\"transport\":\"UDP\",\"srcids\":{\"instance\":\"i-079c44232510ca8ff\"}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:48:30Z\",\"query_name\":\"6.c.f.6.a.9.0.e.2.b.9.a.2.f.1.9.2.0.0.4.d.d.a.0.0.4.f.c.2.0.a.2.ip6.arpa\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"ec2-89.160.20.112.compute-1.amazonaws.com.\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"47882\",\"transport\":\"UDP\",\"srcids\":{\"instance\":\"i-079c44232510ca8ff\"}}", "outcome": "success", "type": [ "protocol" @@ -2262,7 +2262,7 @@ }, "related": { "hosts": [ - "ec2-54-85-252-249.compute-1.amazonaws.com" + "ec2-89.160.20.112.compute-1.amazonaws.com" ], "ip": [ "172.31.86.159", diff --git a/packages/aws/data_stream/route53_resolver_logs/sample_event.json b/packages/aws/data_stream/route53_resolver_logs/sample_event.json index 8a7b227dca..77e86321a0 100644 --- a/packages/aws/data_stream/route53_resolver_logs/sample_event.json +++ b/packages/aws/data_stream/route53_resolver_logs/sample_event.json @@ -44,7 +44,7 @@ }, "dns": { "question": { - "name": "15.3.4.32.in-addr.arpa", + "name": "15.199.16.175.in-addr.arpa", "subdomain": "15.3.4", "registered_domain": "32.in-addr.arpa", "type": "PTR", @@ -71,7 +71,7 @@ "event": { "agent_id_status": "verified", "ingested": "2021-12-12T00:28:02.201047005Z", - "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.199.16.175.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "category": [ "network" ], @@ -94,7 +94,7 @@ }, "related": { "hosts": [ - "15.3.4.32.in-addr.arpa" + "15.199.16.175.in-addr.arpa" ], "ip": [ "4.5.64.102" diff --git a/packages/aws/docs/route53.md b/packages/aws/docs/route53.md index 0c0ab49f5f..c341320116 100644 --- a/packages/aws/docs/route53.md +++ b/packages/aws/docs/route53.md @@ -256,7 +256,7 @@ An example event for `route53_resolver` looks as following: }, "dns": { "question": { - "name": "15.3.4.32.in-addr.arpa", + "name": "15.199.16.175.in-addr.arpa", "subdomain": "15.3.4", "registered_domain": "32.in-addr.arpa", "type": "PTR", @@ -283,7 +283,7 @@ An example event for `route53_resolver` looks as following: "event": { "agent_id_status": "verified", "ingested": "2021-12-12T00:28:02.201047005Z", - "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.199.16.175.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "category": [ "network" ], @@ -306,7 +306,7 @@ An example event for `route53_resolver` looks as following: }, "related": { "hosts": [ - "15.3.4.32.in-addr.arpa" + "15.199.16.175.in-addr.arpa" ], "ip": [ "4.5.64.102" diff --git a/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson b/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson index 9f38719e12..3aebd4412d 100644 --- a/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson +++ b/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson @@ -5,7 +5,7 @@ {"timestamp":"2019-08-22T23:48:48.839495+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":50720,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60273,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.839714+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":41979,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4210,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}],"grouped":{"A":["175.16.199.1","175.16.199.1","175.16.199.1","175.16.199.1"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} -{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a04:4e42:0200:0000:0000:0000:0000:0729","2a04:4e42:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:0200:0000:0000:0000:0000:0729","2a02:cf40:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} {"timestamp":"2019-08-23T01:22:31.812655+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":44773,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28329,"rrname":"www.yahoo.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.812828+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":55246,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7050,"rrname":"www.yahoo.com","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1315,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} @@ -21,4 +21,4 @@ {"timestamp":"2019-08-23T02:03:36.578089+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":48288,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9104,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.578262+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":59203,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12859,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}]}} -{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} +{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log index 9f38719e12..3aebd4412d 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log @@ -5,7 +5,7 @@ {"timestamp":"2019-08-22T23:48:48.839495+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":50720,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60273,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.839714+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":41979,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4210,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}],"grouped":{"A":["175.16.199.1","175.16.199.1","175.16.199.1","175.16.199.1"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} -{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a04:4e42:0200:0000:0000:0000:0000:0729","2a04:4e42:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:0200:0000:0000:0000:0000:0729","2a02:cf40:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} {"timestamp":"2019-08-23T01:22:31.812655+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":44773,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28329,"rrname":"www.yahoo.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.812828+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":55246,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7050,"rrname":"www.yahoo.com","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1315,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} @@ -21,4 +21,4 @@ {"timestamp":"2019-08-23T02:03:36.578089+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":48288,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9104,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.578262+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":59203,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12859,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}]}} -{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} +{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json index 82b3dba9a8..2903e6b02a 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json @@ -564,13 +564,13 @@ "type": "AAAA" }, { - "data": "2a04:4e42:0200:0000:0000:0000:0000:0729", + "data": "2a02:cf40:0200:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" }, { - "data": "2a04:4e42:0400:0000:0000:0000:0000:0729", + "data": "2a02:cf40:0400:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" @@ -591,8 +591,8 @@ "resolved_ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729" + "2a02:cf40:0200:0000:0000:0000:0000:0729", + "2a02:cf40:0400:0000:0000:0000:0000:0729" ], "response_code": "NOERROR", "type": "answer" @@ -606,7 +606,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event", - "original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a04:4e42:0200:0000:0000:0000:0000:0729\",\"2a04:4e42:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:0200:0000:0000:0000:0000:0729\",\"2a02:cf40:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", "type": [ "protocol" ] @@ -619,8 +619,8 @@ "related": { "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729", + "2a02:cf40:0200:0000:0000:0000:0000:0729", + "2a02:cf40:0400:0000:0000:0000:0000:0729", "10.0.2.3", "10.0.2.15" ] @@ -1866,13 +1866,13 @@ "type": "AAAA" }, { - "data": "2a04:4e42:0200:0000:0000:0000:0000:0729", + "data": "2a02:cf40:0200:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" }, { - "data": "2a04:4e42:0400:0000:0000:0000:0000:0729", + "data": "2a02:cf40:0400:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" @@ -1898,8 +1898,8 @@ }, "resolved_ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729", + "2a02:cf40:0200:0000:0000:0000:0000:0729", + "2a02:cf40:0400:0000:0000:0000:0000:0729", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "response_code": "NOERROR", @@ -1914,7 +1914,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event", - "original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}]}}", + "original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}]}}", "type": [ "protocol" ] @@ -1927,8 +1927,8 @@ "related": { "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729", + "2a02:cf40:0200:0000:0000:0000:0000:0729", + "2a02:cf40:0400:0000:0000:0000:0000:0729", "10.0.2.3", "10.0.2.15" ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json index f9c1da4214..f8cd0aa2ea 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json @@ -592,7 +592,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -616,7 +616,7 @@ } }, "event_data": { - "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.274", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1116,7 +1116,7 @@ "event_data": { "QueryName": "nym1-ib.adnxs.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.633", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1135,7 +1135,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1182,7 +1182,7 @@ "event": { "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon" }, "winlog": { @@ -1202,7 +1202,7 @@ "event_data": { "QueryName": "px.ads.linkedin.com", "QueryStatus": "0", - "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.727", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1268,7 +1268,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -1287,7 +1287,7 @@ "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792" }, @@ -1311,7 +1311,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -1330,7 +1330,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "information", "event_data": { - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1389,7 +1389,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1401,7 +1401,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.821", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1467,7 +1467,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -1491,7 +1491,7 @@ "ProcessId": "2736", "QueryName": "protected-by.clarium.io", "QueryStatus": "0", - "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1635,7 +1635,7 @@ "event_data": { "QueryName": "onevideosync.uplynk.com", "QueryStatus": "0", - "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.844", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1664,7 +1664,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "log": { @@ -1798,7 +1798,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1821,7 +1821,7 @@ "ProcessId": "2736", "QueryName": "pm.w55c.net", "QueryStatus": "0", - "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1837,7 +1837,7 @@ { "@timestamp": "2021-05-05T15:30:51.697Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1864,7 +1864,7 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.093", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1927,7 +1927,7 @@ "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryStatus": "0", - "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1955,7 +1955,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -1978,7 +1978,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.107", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1996,7 +1996,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2235,7 +2235,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "log": { "level": "information" @@ -2261,7 +2261,7 @@ "ProcessId": "2736", "QueryName": "tpc.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.146" }, @@ -2332,7 +2332,7 @@ { "@timestamp": "2021-05-05T15:30:51.698Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -2353,7 +2353,7 @@ "ProcessId": "2736", "QueryName": "image2.pubmatic.com", "QueryStatus": "0", - "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" + "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;" }, "process": { "thread": { @@ -2419,7 +2419,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2445,7 +2445,7 @@ "computer_name": "vagrant-2016", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "event_data": { - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.222", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2504,7 +2504,7 @@ "event_data": { "QueryName": "urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.271", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2532,7 +2532,7 @@ "event": { "provider": "Microsoft-Windows-Sysmon", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event" }, "log": { @@ -2759,7 +2759,7 @@ "ProcessId": "2736", "QueryName": "ocsp.usertrust.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -2780,7 +2780,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2924,7 +2924,7 @@ "ProcessId": "2736", "QueryName": "ocsp.sectigo.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "level": "information", @@ -2946,7 +2946,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -3254,7 +3254,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -3277,7 +3277,7 @@ "ProcessId": "2736", "QueryName": "ocsp.pki.goog", "QueryStatus": "0", - "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.581" }, @@ -4025,7 +4025,7 @@ { "@timestamp": "2021-05-05T15:30:51.701Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4051,7 +4051,7 @@ "event_data": { "QueryName": "pixel.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4070,7 +4070,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4082,7 +4082,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4112,7 +4112,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4126,7 +4126,7 @@ "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.902", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4155,7 +4155,7 @@ "ProcessId": "2736", "QueryName": "s0.2mdn.net", "QueryStatus": "0", - "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.911", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4185,7 +4185,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4336,7 +4336,7 @@ "ProcessId": "2736", "QueryName": "pre-usermatch.targeting.unrulymedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;", + "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.137", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4355,7 +4355,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -4364,7 +4364,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4384,7 +4384,7 @@ "event_data": { "QueryName": "farm.plista.com", "QueryStatus": "0", - "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.141", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4885,7 +4885,7 @@ "ProcessId": "2736", "QueryName": "sync.mathtag.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;" + "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;" }, "record_id": 141, "event_id": "22", @@ -4905,7 +4905,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4967,7 +4967,7 @@ "time_created": "2019-07-18T03:34:04.692Z", "level": "information", "event_data": { - "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.184", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4990,7 +4990,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -5015,7 +5015,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -5031,7 +5031,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5104,7 +5104,7 @@ "event_data": { "QueryName": "idsync.rlcdn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.237", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5115,7 +5115,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5214,7 +5214,7 @@ "ProcessId": "2736", "QueryName": "static.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -5241,7 +5241,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5337,7 +5337,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5354,7 +5354,7 @@ "ProcessId": "2736", "QueryName": "pixel-sync.sitescout.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;" + "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;" }, "user": { "identifier": "S-1-5-18" @@ -5387,7 +5387,7 @@ "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5409,7 +5409,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5463,7 +5463,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5475,7 +5475,7 @@ "ProcessId": "2736", "QueryName": "appnexus-partners.tremorhub.com", "QueryStatus": "0", - "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5505,7 +5505,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5524,7 +5524,7 @@ "event_data": { "QueryName": "x.dlx.addthis.com", "QueryStatus": "0", - "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.531", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5547,7 +5547,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5564,7 +5564,7 @@ "ProcessId": "2736", "QueryName": "dh.serving-sys.com", "QueryStatus": "0", - "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.532", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -5586,7 +5586,7 @@ { "@timestamp": "2021-05-05T15:30:51.707Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5598,7 +5598,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;", + "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.534", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5650,7 +5650,7 @@ "event_data": { "QueryName": "tags.rd.linksynergy.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.601", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5661,7 +5661,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -5675,7 +5675,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -5684,7 +5684,7 @@ "ProcessId": "2736", "QueryName": "rtb-csync.smartadserver.com", "QueryStatus": "0", - "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.604" }, @@ -5713,7 +5713,7 @@ "@timestamp": "2021-05-05T15:30:51.707Z", "winlog": { "event_data": { - "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.621", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5745,7 +5745,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5757,7 +5757,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5771,7 +5771,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.822", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6440,7 +6440,7 @@ { "@timestamp": "2021-05-05T15:30:51.709Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6456,7 +6456,7 @@ "event_data": { "QueryName": "rp.gwallet.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.943", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6483,7 +6483,7 @@ "@timestamp": "2021-05-05T15:30:51.709Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6491,7 +6491,7 @@ "event_data": { "QueryName": "ads.yahoo.com", "QueryStatus": "0", - "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;", + "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.945", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6588,7 +6588,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.955", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6609,7 +6609,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6719,7 +6719,7 @@ "ProcessId": "2736", "QueryName": "s.thebrighttag.com", "QueryStatus": "0", - "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6729,7 +6729,7 @@ "version": 5 }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -6867,7 +6867,7 @@ { "@timestamp": "2021-05-05T15:30:51.710Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6896,7 +6896,7 @@ "ProcessId": "2736", "QueryName": "secure.adnxs.com", "QueryStatus": "0", - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;" + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;" }, "event_id": "22", "provider_name": "Microsoft-Windows-Sysmon", @@ -6955,7 +6955,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6965,7 +6965,7 @@ "event_data": { "QueryName": "i.liadm.com", "QueryStatus": "0", - "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.536", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6998,7 +6998,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7015,7 +7015,7 @@ "time_created": "2019-07-18T03:34:09.067Z", "level": "information", "event_data": { - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.544", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7038,7 +7038,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7050,7 +7050,7 @@ "ProcessId": "2736", "QueryName": "router.infolinks.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "opcode": "Info", @@ -7127,7 +7127,7 @@ "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7155,7 +7155,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -7164,7 +7164,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7188,7 +7188,7 @@ "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryStatus": "0", - "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -7219,7 +7219,7 @@ "event_data": { "QueryName": "tg.socdm.com", "QueryStatus": "0", - "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.619", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7236,7 +7236,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -7425,7 +7425,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", @@ -7437,7 +7437,7 @@ "ProcessId": "2736", "QueryName": "cdnjs.cloudflare.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7464,7 +7464,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7479,7 +7479,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.051", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7570,7 +7570,7 @@ "ProcessId": "2736", "QueryName": "ocsp.trust-provider.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" } }, @@ -7578,7 +7578,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7593,7 +7593,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "time_created": "2019-07-18T03:34:10.067Z", @@ -7602,7 +7602,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca4.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.184" }, @@ -7681,7 +7681,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7692,7 +7692,7 @@ "event_data": { "QueryName": "match.sync.ad.cpe.dotomi.com", "QueryStatus": "0", - "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.730", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7828,7 +7828,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:16.329", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7852,7 +7852,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -7904,7 +7904,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7934,7 +7934,7 @@ "ProcessId": "2736", "QueryName": "syndication.twitter.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;" } }, "log": { @@ -8608,7 +8608,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -8625,7 +8625,7 @@ "ProcessId": "356", "QueryName": "c.urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;" + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;" }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": "22", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json index 90939021c5..0839ad6d78 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json @@ -1328,7 +1328,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -1336,7 +1336,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -1344,7 +1344,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -1362,11 +1362,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -1380,7 +1380,7 @@ "code": "22", "created": "2019-07-18T03:34:03.028Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -1409,11 +1409,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -2551,7 +2551,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -2559,7 +2559,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -2583,9 +2583,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -2599,7 +2599,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2626,9 +2626,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -2824,7 +2824,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -2832,7 +2832,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -2840,7 +2840,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -2848,7 +2848,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -2865,13 +2865,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -2885,7 +2885,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2914,13 +2914,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -3077,7 +3077,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -3085,7 +3085,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -3093,7 +3093,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -3101,7 +3101,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -3109,7 +3109,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -3126,15 +3126,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -3148,7 +3148,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3175,15 +3175,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -3264,7 +3264,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -3288,7 +3288,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3302,7 +3302,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3331,7 +3331,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3494,7 +3494,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -3517,7 +3517,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3531,7 +3531,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3559,7 +3559,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3731,7 +3731,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -3751,7 +3751,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -3764,7 +3764,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3792,7 +3792,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -4162,7 +4162,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4180,7 +4180,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4194,7 +4194,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4224,7 +4224,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4563,7 +4563,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4587,7 +4587,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4601,7 +4601,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4629,7 +4629,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4674,7 +4674,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4682,7 +4682,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -4690,7 +4690,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -4698,7 +4698,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -4706,7 +4706,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -4723,15 +4723,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -4745,7 +4745,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4772,15 +4772,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -4919,7 +4919,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4927,7 +4927,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -4935,7 +4935,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -4943,7 +4943,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -4951,7 +4951,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -4964,15 +4964,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -4985,7 +4985,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5013,15 +5013,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -5073,7 +5073,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -5081,7 +5081,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -5089,7 +5089,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -5097,7 +5097,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -5110,13 +5110,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5129,7 +5129,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5158,13 +5158,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -5644,7 +5644,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -5652,7 +5652,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -5660,7 +5660,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -5668,7 +5668,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -5681,13 +5681,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5700,7 +5700,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5728,13 +5728,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -5888,7 +5888,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -5896,7 +5896,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -5904,7 +5904,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -5912,7 +5912,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -5925,13 +5925,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5944,7 +5944,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5973,13 +5973,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -6135,7 +6135,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6143,7 +6143,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6151,7 +6151,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -6159,7 +6159,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -6175,13 +6175,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -6194,7 +6194,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6221,13 +6221,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -6379,7 +6379,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6387,7 +6387,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6404,9 +6404,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -6420,7 +6420,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6449,9 +6449,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -6881,7 +6881,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6889,7 +6889,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6897,7 +6897,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -6905,7 +6905,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -6922,13 +6922,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -6942,7 +6942,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6970,13 +6970,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7265,7 +7265,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -7273,7 +7273,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -7281,7 +7281,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -7289,7 +7289,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -7306,13 +7306,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7326,7 +7326,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -7354,13 +7354,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7922,7 +7922,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -7930,7 +7930,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -7938,7 +7938,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -7946,7 +7946,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -7963,13 +7963,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7983,7 +7983,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -8011,13 +8011,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9322,7 +9322,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9330,7 +9330,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9338,7 +9338,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9346,7 +9346,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9363,13 +9363,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9383,7 +9383,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9411,13 +9411,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9470,7 +9470,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9478,7 +9478,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9486,7 +9486,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9494,7 +9494,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9512,13 +9512,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9532,7 +9532,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9559,13 +9559,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9614,7 +9614,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9622,7 +9622,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9630,7 +9630,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9638,7 +9638,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9646,7 +9646,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -9660,15 +9660,15 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -9681,7 +9681,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9708,15 +9708,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -9764,7 +9764,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9772,7 +9772,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9780,7 +9780,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9788,7 +9788,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9805,13 +9805,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9825,7 +9825,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9853,13 +9853,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -10215,7 +10215,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -10223,7 +10223,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -10231,7 +10231,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" } ], @@ -10247,11 +10247,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:83eb::30" ] }, "ecs": { @@ -10264,7 +10264,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10292,11 +10292,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:83eb::30" ] }, "sysmon": { @@ -10360,7 +10360,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -10368,7 +10368,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -10376,7 +10376,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -10397,11 +10397,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -10415,7 +10415,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10443,11 +10443,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11274,7 +11274,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11282,7 +11282,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11290,7 +11290,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11310,11 +11310,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11328,7 +11328,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11356,11 +11356,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11532,7 +11532,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11556,7 +11556,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -11570,7 +11570,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11598,7 +11598,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -11647,7 +11647,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11655,7 +11655,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11663,7 +11663,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11671,7 +11671,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -11688,13 +11688,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -11708,7 +11708,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11736,13 +11736,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -11902,7 +11902,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11910,7 +11910,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11918,7 +11918,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11926,7 +11926,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -11934,7 +11934,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -11951,15 +11951,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -11973,7 +11973,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12000,15 +12000,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -12257,7 +12257,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12265,7 +12265,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12273,7 +12273,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12281,7 +12281,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12298,13 +12298,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12318,7 +12318,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12346,13 +12346,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12590,7 +12590,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12598,7 +12598,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12606,7 +12606,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12614,7 +12614,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12631,13 +12631,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12651,7 +12651,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12679,13 +12679,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12730,7 +12730,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12738,7 +12738,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12746,7 +12746,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12754,7 +12754,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12762,7 +12762,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -12775,15 +12775,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -12796,7 +12796,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12823,15 +12823,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -13022,7 +13022,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -13042,7 +13042,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -13055,7 +13055,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13083,7 +13083,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -13147,7 +13147,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13167,7 +13167,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -13181,7 +13181,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13210,7 +13210,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -13267,7 +13267,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13275,7 +13275,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13293,9 +13293,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -13309,7 +13309,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13338,9 +13338,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -13417,7 +13417,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13425,7 +13425,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" } ], @@ -13445,9 +13445,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30" + "2a02:cf40:231d::2:30" ] }, "ecs": { @@ -13460,7 +13460,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13488,9 +13488,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30" + "2a02:cf40:231d::2:30" ] }, "sysmon": { @@ -13534,7 +13534,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13542,7 +13542,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13550,7 +13550,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13558,7 +13558,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13566,7 +13566,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -13579,15 +13579,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -13600,7 +13600,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13627,15 +13627,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -13687,7 +13687,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13695,7 +13695,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13703,7 +13703,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13720,11 +13720,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -13738,7 +13738,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13767,11 +13767,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -13820,7 +13820,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13828,7 +13828,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13836,7 +13836,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13844,7 +13844,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13861,13 +13861,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13881,7 +13881,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13909,13 +13909,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13964,7 +13964,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13972,7 +13972,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13980,7 +13980,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13988,7 +13988,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -14005,13 +14005,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -14025,7 +14025,7 @@ "code": "22", "created": "2019-07-18T03:34:05.034Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -14053,13 +14053,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -15598,7 +15598,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -15606,7 +15606,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -15614,7 +15614,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -15622,7 +15622,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -15630,7 +15630,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -15647,15 +15647,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -15669,7 +15669,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15696,15 +15696,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -15749,7 +15749,7 @@ "type": "A" }, { - "data": "98.138.49.44", + "data": "81.2.69.143", "type": "A" }, { @@ -15769,7 +15769,7 @@ }, "resolved_ip": [ "89.160.20.156", - "98.138.49.44", + "81.2.69.143", "89.160.20.156", "89.160.20.156" ] @@ -15784,7 +15784,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15811,7 +15811,7 @@ ], "ip": [ "89.160.20.156", - "98.138.49.44" + "81.2.69.143" ] }, "sysmon": { @@ -15957,7 +15957,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -15965,7 +15965,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -15973,7 +15973,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -15981,7 +15981,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -15989,7 +15989,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -16002,15 +16002,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -16023,7 +16023,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16050,15 +16050,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -16298,7 +16298,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16306,7 +16306,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -16314,7 +16314,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -16334,11 +16334,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -16352,7 +16352,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16380,11 +16380,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -16791,7 +16791,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16815,7 +16815,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16829,7 +16829,7 @@ "code": "22", "created": "2019-07-18T03:34:09.053Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16858,7 +16858,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -17030,7 +17030,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17054,7 +17054,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -17068,7 +17068,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17096,7 +17096,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -17141,7 +17141,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17149,7 +17149,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17157,7 +17157,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17165,7 +17165,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17173,7 +17173,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -17190,15 +17190,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -17212,7 +17212,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17239,15 +17239,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -17296,7 +17296,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17304,7 +17304,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17312,7 +17312,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17320,7 +17320,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17338,13 +17338,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -17358,7 +17358,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17385,13 +17385,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -17570,7 +17570,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17578,7 +17578,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17586,7 +17586,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17594,7 +17594,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17602,7 +17602,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -17616,15 +17616,15 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -17637,7 +17637,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17664,15 +17664,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -17760,11 +17760,11 @@ "type": "A" }, { - "data": "198.7.56.229", + "data": "216.160.83.59", "type": "A" }, { - "data": "198.7.56.231", + "data": "216.160.83.61", "type": "A" }, { @@ -17844,7 +17844,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17852,7 +17852,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17860,7 +17860,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17868,7 +17868,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17876,7 +17876,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -17884,7 +17884,7 @@ "type": "A" }, { - "data": "2001:503:d414::30", + "data": "2a02:cf40:d414::30", "type": "AAAA" }, { @@ -17892,7 +17892,7 @@ "type": "A" }, { - "data": "2001:503:eea3::30", + "data": "2a02:cf40:eea3::30", "type": "AAAA" }, { @@ -17900,7 +17900,7 @@ "type": "A" }, { - "data": "2001:502:8cc::30", + "data": "2a02:cf40:8cc::30", "type": "AAAA" }, { @@ -17908,7 +17908,7 @@ "type": "A" }, { - "data": "2001:503:39c1::30", + "data": "2a02:cf40:39c1::30", "type": "AAAA" }, { @@ -17916,7 +17916,7 @@ "type": "A" }, { - "data": "2001:502:7094::30", + "data": "2a02:cf40:7094::30", "type": "AAAA" } ], @@ -17939,8 +17939,8 @@ "89.160.20.156", "89.160.20.156", "89.160.20.156", - "198.7.56.229", - "198.7.56.231", + "216.160.83.59", + "216.160.83.61", "89.160.20.156", "89.160.20.156", "89.160.20.156", @@ -17960,25 +17960,25 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30", - "2001:503:d414::30", + "2a02:cf40:d414::30", "192.168.93.30", - "2001:503:eea3::30", + "2a02:cf40:eea3::30", "192.168.112.30", - "2001:502:8cc::30", + "2a02:cf40:8cc::30", "192.168.172.30", - "2001:503:39c1::30", + "2a02:cf40:39c1::30", "192.168.79.30", - "2001:502:7094::30" + "2a02:cf40:7094::30" ] }, "ecs": { @@ -17991,7 +17991,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18018,28 +18018,28 @@ ], "ip": [ "89.160.20.156", - "198.7.56.229", - "198.7.56.231", + "216.160.83.59", + "216.160.83.61", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30", - "2001:503:d414::30", + "2a02:cf40:d414::30", "192.168.93.30", - "2001:503:eea3::30", + "2a02:cf40:eea3::30", "192.168.112.30", - "2001:502:8cc::30", + "2a02:cf40:8cc::30", "192.168.172.30", - "2001:503:39c1::30", + "2a02:cf40:39c1::30", "192.168.79.30", - "2001:502:7094::30" + "2a02:cf40:7094::30" ] }, "sysmon": { @@ -18131,7 +18131,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -18155,7 +18155,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -18168,7 +18168,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18196,7 +18196,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -18621,7 +18621,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18629,7 +18629,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18637,7 +18637,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18658,11 +18658,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -18676,7 +18676,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18703,11 +18703,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -18764,7 +18764,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18772,7 +18772,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18780,7 +18780,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18788,7 +18788,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -18804,13 +18804,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -18823,7 +18823,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18850,13 +18850,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -18999,7 +18999,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19007,7 +19007,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19015,7 +19015,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19023,7 +19023,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -19040,13 +19040,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19060,7 +19060,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19088,13 +19088,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19150,7 +19150,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19158,7 +19158,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19166,7 +19166,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19174,7 +19174,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -19191,13 +19191,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19211,7 +19211,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19239,13 +19239,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19438,7 +19438,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19446,7 +19446,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19463,9 +19463,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -19479,7 +19479,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19509,9 +19509,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -19764,7 +19764,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19772,7 +19772,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19780,7 +19780,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19788,7 +19788,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -19805,13 +19805,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19825,7 +19825,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19853,13 +19853,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -20026,7 +20026,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -20034,7 +20034,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -20042,7 +20042,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -20050,7 +20050,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -20066,13 +20066,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -20085,7 +20085,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -20112,13 +20112,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -21351,7 +21351,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -21359,7 +21359,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -21367,7 +21367,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" } ], @@ -21380,11 +21380,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:83eb::30" ] }, "ecs": { @@ -21397,7 +21397,7 @@ "code": "22", "created": "2019-07-18T03:49:52.105Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -21426,11 +21426,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:83eb::30" ] }, "sysmon": { diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json index 577c9798a8..f139817615 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json @@ -517,7 +517,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -541,7 +541,7 @@ } }, "event_data": { - "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.274", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1041,7 +1041,7 @@ "event_data": { "QueryName": "nym1-ib.adnxs.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.633", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1060,7 +1060,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1107,7 +1107,7 @@ "event": { "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon" }, "winlog": { @@ -1127,7 +1127,7 @@ "event_data": { "QueryName": "px.ads.linkedin.com", "QueryStatus": "0", - "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.727", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1193,7 +1193,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -1212,7 +1212,7 @@ "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792" }, @@ -1236,7 +1236,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -1255,7 +1255,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "information", "event_data": { - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1314,7 +1314,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1326,7 +1326,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.821", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1392,7 +1392,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -1416,7 +1416,7 @@ "ProcessId": "2736", "QueryName": "protected-by.clarium.io", "QueryStatus": "0", - "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1560,7 +1560,7 @@ "event_data": { "QueryName": "onevideosync.uplynk.com", "QueryStatus": "0", - "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.844", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1589,7 +1589,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "log": { @@ -1723,7 +1723,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1746,7 +1746,7 @@ "ProcessId": "2736", "QueryName": "pm.w55c.net", "QueryStatus": "0", - "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1762,7 +1762,7 @@ { "@timestamp": "2021-05-05T15:30:51.697Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1789,7 +1789,7 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.093", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1852,7 +1852,7 @@ "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryStatus": "0", - "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1880,7 +1880,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -1903,7 +1903,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.107", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1921,7 +1921,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2160,7 +2160,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "log": { "level": "information" @@ -2186,7 +2186,7 @@ "ProcessId": "2736", "QueryName": "tpc.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.146" }, @@ -2257,7 +2257,7 @@ { "@timestamp": "2021-05-05T15:30:51.698Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -2278,7 +2278,7 @@ "ProcessId": "2736", "QueryName": "image2.pubmatic.com", "QueryStatus": "0", - "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" + "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;" }, "process": { "thread": { @@ -2344,7 +2344,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2370,7 +2370,7 @@ "computer_name": "vagrant-2016", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "event_data": { - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.222", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2429,7 +2429,7 @@ "event_data": { "QueryName": "urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.271", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2457,7 +2457,7 @@ "event": { "provider": "Microsoft-Windows-Sysmon", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event" }, "log": { @@ -2684,7 +2684,7 @@ "ProcessId": "2736", "QueryName": "ocsp.usertrust.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -2705,7 +2705,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2849,7 +2849,7 @@ "ProcessId": "2736", "QueryName": "ocsp.sectigo.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "level": "information", @@ -2871,7 +2871,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -3179,7 +3179,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -3202,7 +3202,7 @@ "ProcessId": "2736", "QueryName": "ocsp.pki.goog", "QueryStatus": "0", - "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.581" }, @@ -3950,7 +3950,7 @@ { "@timestamp": "2021-05-05T15:30:51.701Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -3976,7 +3976,7 @@ "event_data": { "QueryName": "pixel.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -3995,7 +3995,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4007,7 +4007,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4037,7 +4037,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4051,7 +4051,7 @@ "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.902", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4080,7 +4080,7 @@ "ProcessId": "2736", "QueryName": "s0.2mdn.net", "QueryStatus": "0", - "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.911", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4110,7 +4110,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4261,7 +4261,7 @@ "ProcessId": "2736", "QueryName": "pre-usermatch.targeting.unrulymedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;", + "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.137", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4280,7 +4280,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -4289,7 +4289,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4309,7 +4309,7 @@ "event_data": { "QueryName": "farm.plista.com", "QueryStatus": "0", - "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.141", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4810,7 +4810,7 @@ "ProcessId": "2736", "QueryName": "sync.mathtag.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;" + "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;" }, "record_id": 141, "event_id": "22", @@ -4830,7 +4830,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4892,7 +4892,7 @@ "time_created": "2019-07-18T03:34:04.692Z", "level": "information", "event_data": { - "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.184", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4915,7 +4915,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4940,7 +4940,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -4956,7 +4956,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5029,7 +5029,7 @@ "event_data": { "QueryName": "idsync.rlcdn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.237", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5040,7 +5040,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5139,7 +5139,7 @@ "ProcessId": "2736", "QueryName": "static.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -5166,7 +5166,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5262,7 +5262,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5279,7 +5279,7 @@ "ProcessId": "2736", "QueryName": "pixel-sync.sitescout.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;" + "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;" }, "user": { "identifier": "S-1-5-18" @@ -5312,7 +5312,7 @@ "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5334,7 +5334,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5388,7 +5388,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5400,7 +5400,7 @@ "ProcessId": "2736", "QueryName": "appnexus-partners.tremorhub.com", "QueryStatus": "0", - "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5430,7 +5430,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5449,7 +5449,7 @@ "event_data": { "QueryName": "x.dlx.addthis.com", "QueryStatus": "0", - "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.531", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5472,7 +5472,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5489,7 +5489,7 @@ "ProcessId": "2736", "QueryName": "dh.serving-sys.com", "QueryStatus": "0", - "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.532", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -5511,7 +5511,7 @@ { "@timestamp": "2021-05-05T15:30:51.707Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5523,7 +5523,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;", + "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.534", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5575,7 +5575,7 @@ "event_data": { "QueryName": "tags.rd.linksynergy.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.601", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5586,7 +5586,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -5600,7 +5600,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -5609,7 +5609,7 @@ "ProcessId": "2736", "QueryName": "rtb-csync.smartadserver.com", "QueryStatus": "0", - "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.604" }, @@ -5638,7 +5638,7 @@ "@timestamp": "2021-05-05T15:30:51.707Z", "winlog": { "event_data": { - "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.621", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5670,7 +5670,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5682,7 +5682,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5696,7 +5696,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.822", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6365,7 +6365,7 @@ { "@timestamp": "2021-05-05T15:30:51.709Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6381,7 +6381,7 @@ "event_data": { "QueryName": "rp.gwallet.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.943", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6408,7 +6408,7 @@ "@timestamp": "2021-05-05T15:30:51.709Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6416,7 +6416,7 @@ "event_data": { "QueryName": "ads.yahoo.com", "QueryStatus": "0", - "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;", + "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.945", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6513,7 +6513,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.955", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6534,7 +6534,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6644,7 +6644,7 @@ "ProcessId": "2736", "QueryName": "s.thebrighttag.com", "QueryStatus": "0", - "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6654,7 +6654,7 @@ "version": 5 }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -6792,7 +6792,7 @@ { "@timestamp": "2021-05-05T15:30:51.710Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6821,7 +6821,7 @@ "ProcessId": "2736", "QueryName": "secure.adnxs.com", "QueryStatus": "0", - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;" + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;" }, "event_id": "22", "provider_name": "Microsoft-Windows-Sysmon", @@ -6880,7 +6880,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6890,7 +6890,7 @@ "event_data": { "QueryName": "i.liadm.com", "QueryStatus": "0", - "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.536", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6923,7 +6923,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -6940,7 +6940,7 @@ "time_created": "2019-07-18T03:34:09.067Z", "level": "information", "event_data": { - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.544", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6963,7 +6963,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6975,7 +6975,7 @@ "ProcessId": "2736", "QueryName": "router.infolinks.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "opcode": "Info", @@ -7052,7 +7052,7 @@ "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7080,7 +7080,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -7089,7 +7089,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7113,7 +7113,7 @@ "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryStatus": "0", - "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -7144,7 +7144,7 @@ "event_data": { "QueryName": "tg.socdm.com", "QueryStatus": "0", - "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.619", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7161,7 +7161,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -7350,7 +7350,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", @@ -7362,7 +7362,7 @@ "ProcessId": "2736", "QueryName": "cdnjs.cloudflare.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7389,7 +7389,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7404,7 +7404,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.051", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7495,7 +7495,7 @@ "ProcessId": "2736", "QueryName": "ocsp.trust-provider.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" } }, @@ -7503,7 +7503,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7518,7 +7518,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "time_created": "2019-07-18T03:34:10.067Z", @@ -7527,7 +7527,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca4.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.184" }, @@ -7606,7 +7606,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7617,7 +7617,7 @@ "event_data": { "QueryName": "match.sync.ad.cpe.dotomi.com", "QueryStatus": "0", - "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.730", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7753,7 +7753,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:16.329", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7777,7 +7777,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -7829,7 +7829,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7859,7 +7859,7 @@ "ProcessId": "2736", "QueryName": "syndication.twitter.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;" } }, "log": { @@ -8533,7 +8533,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -8550,7 +8550,7 @@ "ProcessId": "356", "QueryName": "c.urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;" + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;" }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": "22", diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index e2dc82e965..1faa38016b 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -1204,7 +1204,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -1212,7 +1212,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -1220,7 +1220,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -1238,11 +1238,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -1256,7 +1256,7 @@ "code": "22", "created": "2019-07-18T03:34:03.028Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -1285,11 +1285,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -2439,7 +2439,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -2447,7 +2447,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -2471,9 +2471,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -2487,7 +2487,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2514,9 +2514,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -2712,7 +2712,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -2720,7 +2720,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -2728,7 +2728,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -2736,7 +2736,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -2753,13 +2753,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -2773,7 +2773,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2802,13 +2802,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -2965,7 +2965,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -2973,7 +2973,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -2981,7 +2981,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -2989,7 +2989,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -2997,7 +2997,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -3014,15 +3014,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -3036,7 +3036,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3063,15 +3063,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -3152,7 +3152,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -3176,7 +3176,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3190,7 +3190,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3219,7 +3219,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3382,7 +3382,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -3405,7 +3405,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3419,7 +3419,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3447,7 +3447,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3619,7 +3619,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -3639,7 +3639,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -3652,7 +3652,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3680,7 +3680,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -4050,7 +4050,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4068,7 +4068,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4082,7 +4082,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4112,7 +4112,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4451,7 +4451,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4475,7 +4475,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4489,7 +4489,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4517,7 +4517,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4562,7 +4562,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4570,7 +4570,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -4578,7 +4578,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -4586,7 +4586,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -4594,7 +4594,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -4611,15 +4611,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -4633,7 +4633,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4660,15 +4660,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -4807,7 +4807,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4815,7 +4815,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -4823,7 +4823,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -4831,7 +4831,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -4839,7 +4839,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -4852,15 +4852,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -4873,7 +4873,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4901,15 +4901,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -4961,7 +4961,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4969,7 +4969,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -4977,7 +4977,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -4985,7 +4985,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -4998,13 +4998,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5017,7 +5017,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5046,13 +5046,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -5532,7 +5532,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -5540,7 +5540,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -5548,7 +5548,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -5556,7 +5556,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -5569,13 +5569,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5588,7 +5588,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5616,13 +5616,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -5776,7 +5776,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -5784,7 +5784,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -5792,7 +5792,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -5800,7 +5800,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -5813,13 +5813,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5832,7 +5832,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5861,13 +5861,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -6023,7 +6023,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6031,7 +6031,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6039,7 +6039,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -6047,7 +6047,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -6063,13 +6063,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -6082,7 +6082,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6109,13 +6109,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -6267,7 +6267,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6275,7 +6275,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6292,9 +6292,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -6308,7 +6308,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6337,9 +6337,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -6769,7 +6769,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6777,7 +6777,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6785,7 +6785,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -6793,7 +6793,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -6810,13 +6810,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -6830,7 +6830,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6858,13 +6858,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7153,7 +7153,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -7161,7 +7161,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -7169,7 +7169,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -7177,7 +7177,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -7194,13 +7194,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7214,7 +7214,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -7242,13 +7242,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7810,7 +7810,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -7818,7 +7818,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -7826,7 +7826,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -7834,7 +7834,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -7851,13 +7851,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7871,7 +7871,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -7899,13 +7899,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9210,7 +9210,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9218,7 +9218,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9226,7 +9226,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9234,7 +9234,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9251,13 +9251,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9271,7 +9271,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9299,13 +9299,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9358,7 +9358,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9366,7 +9366,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9374,7 +9374,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9382,7 +9382,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9400,13 +9400,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9420,7 +9420,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9447,13 +9447,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9502,7 +9502,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9510,7 +9510,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9518,7 +9518,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9526,7 +9526,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9534,7 +9534,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -9548,15 +9548,15 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -9569,7 +9569,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9596,15 +9596,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -9652,7 +9652,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9660,7 +9660,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9668,7 +9668,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9676,7 +9676,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9693,13 +9693,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9713,7 +9713,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9741,13 +9741,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -10103,7 +10103,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -10111,7 +10111,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -10119,7 +10119,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" } ], @@ -10135,11 +10135,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:83eb::30" ] }, "ecs": { @@ -10152,7 +10152,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10180,11 +10180,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:83eb::30" ] }, "sysmon": { @@ -10248,7 +10248,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -10256,7 +10256,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -10264,7 +10264,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -10285,11 +10285,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -10303,7 +10303,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10331,11 +10331,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11162,7 +11162,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11170,7 +11170,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11178,7 +11178,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11198,11 +11198,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11216,7 +11216,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11244,11 +11244,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11420,7 +11420,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11444,7 +11444,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -11458,7 +11458,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11486,7 +11486,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -11535,7 +11535,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11543,7 +11543,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11551,7 +11551,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11559,7 +11559,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -11576,13 +11576,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -11596,7 +11596,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11624,13 +11624,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -11790,7 +11790,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11798,7 +11798,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11806,7 +11806,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11814,7 +11814,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -11822,7 +11822,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -11839,15 +11839,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -11861,7 +11861,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11888,15 +11888,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -12145,7 +12145,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12153,7 +12153,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12161,7 +12161,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12169,7 +12169,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12186,13 +12186,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12206,7 +12206,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12234,13 +12234,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12478,7 +12478,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12486,7 +12486,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12494,7 +12494,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12502,7 +12502,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12519,13 +12519,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12539,7 +12539,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12567,13 +12567,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12618,7 +12618,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12626,7 +12626,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12634,7 +12634,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12642,7 +12642,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12650,7 +12650,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -12663,15 +12663,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -12684,7 +12684,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12711,15 +12711,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -12910,7 +12910,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -12930,7 +12930,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -12943,7 +12943,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12971,7 +12971,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -13035,7 +13035,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13055,7 +13055,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -13069,7 +13069,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13098,7 +13098,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -13155,7 +13155,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13163,7 +13163,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13181,9 +13181,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -13197,7 +13197,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13226,9 +13226,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -13305,7 +13305,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13313,7 +13313,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" } ], @@ -13333,9 +13333,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30" + "2a02:cf40:231d::2:30" ] }, "ecs": { @@ -13348,7 +13348,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13376,9 +13376,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30" + "2a02:cf40:231d::2:30" ] }, "sysmon": { @@ -13422,7 +13422,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13430,7 +13430,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13438,7 +13438,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13446,7 +13446,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13454,7 +13454,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -13467,15 +13467,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -13488,7 +13488,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13515,15 +13515,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -13575,7 +13575,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13583,7 +13583,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13591,7 +13591,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13608,11 +13608,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -13626,7 +13626,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13655,11 +13655,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -13708,7 +13708,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13716,7 +13716,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13724,7 +13724,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13732,7 +13732,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13749,13 +13749,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13769,7 +13769,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13797,13 +13797,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13852,7 +13852,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13860,7 +13860,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13868,7 +13868,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13876,7 +13876,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13893,13 +13893,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13913,7 +13913,7 @@ "code": "22", "created": "2019-07-18T03:34:05.034Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13941,13 +13941,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -15486,7 +15486,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -15494,7 +15494,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -15502,7 +15502,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -15510,7 +15510,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -15518,7 +15518,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -15535,15 +15535,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -15557,7 +15557,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15584,15 +15584,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -15637,7 +15637,7 @@ "type": "A" }, { - "data": "98.138.49.44", + "data": "81.2.69.143", "type": "A" }, { @@ -15657,7 +15657,7 @@ }, "resolved_ip": [ "89.160.20.156", - "98.138.49.44", + "81.2.69.143", "89.160.20.156", "89.160.20.156" ] @@ -15672,7 +15672,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15699,7 +15699,7 @@ ], "ip": [ "89.160.20.156", - "98.138.49.44" + "81.2.69.143" ] }, "sysmon": { @@ -15845,7 +15845,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -15853,7 +15853,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -15861,7 +15861,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -15869,7 +15869,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -15877,7 +15877,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -15890,15 +15890,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -15911,7 +15911,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15938,15 +15938,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -16186,7 +16186,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16194,7 +16194,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -16202,7 +16202,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -16222,11 +16222,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -16240,7 +16240,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16268,11 +16268,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -16679,7 +16679,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16703,7 +16703,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16717,7 +16717,7 @@ "code": "22", "created": "2019-07-18T03:34:09.053Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16746,7 +16746,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16918,7 +16918,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16942,7 +16942,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16956,7 +16956,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16984,7 +16984,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -17029,7 +17029,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17037,7 +17037,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17045,7 +17045,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17053,7 +17053,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17061,7 +17061,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -17078,15 +17078,15 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -17100,7 +17100,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17127,15 +17127,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -17184,7 +17184,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17192,7 +17192,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17200,7 +17200,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17208,7 +17208,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17226,13 +17226,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -17246,7 +17246,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17273,13 +17273,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -17458,7 +17458,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17466,7 +17466,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17474,7 +17474,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17482,7 +17482,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17490,7 +17490,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -17504,15 +17504,15 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -17525,7 +17525,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17552,15 +17552,15 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -17648,11 +17648,11 @@ "type": "A" }, { - "data": "198.7.56.229", + "data": "216.160.83.59", "type": "A" }, { - "data": "198.7.56.231", + "data": "216.160.83.61", "type": "A" }, { @@ -17732,7 +17732,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17740,7 +17740,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17748,7 +17748,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17756,7 +17756,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17764,7 +17764,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -17772,7 +17772,7 @@ "type": "A" }, { - "data": "2001:503:d414::30", + "data": "2a02:cf40:d414::30", "type": "AAAA" }, { @@ -17780,7 +17780,7 @@ "type": "A" }, { - "data": "2001:503:eea3::30", + "data": "2a02:cf40:eea3::30", "type": "AAAA" }, { @@ -17788,7 +17788,7 @@ "type": "A" }, { - "data": "2001:502:8cc::30", + "data": "2a02:cf40:8cc::30", "type": "AAAA" }, { @@ -17796,7 +17796,7 @@ "type": "A" }, { - "data": "2001:503:39c1::30", + "data": "2a02:cf40:39c1::30", "type": "AAAA" }, { @@ -17804,7 +17804,7 @@ "type": "A" }, { - "data": "2001:502:7094::30", + "data": "2a02:cf40:7094::30", "type": "AAAA" } ], @@ -17827,8 +17827,8 @@ "89.160.20.156", "89.160.20.156", "89.160.20.156", - "198.7.56.229", - "198.7.56.231", + "216.160.83.59", + "216.160.83.61", "89.160.20.156", "89.160.20.156", "89.160.20.156", @@ -17848,25 +17848,25 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30", - "2001:503:d414::30", + "2a02:cf40:d414::30", "192.168.93.30", - "2001:503:eea3::30", + "2a02:cf40:eea3::30", "192.168.112.30", - "2001:502:8cc::30", + "2a02:cf40:8cc::30", "192.168.172.30", - "2001:503:39c1::30", + "2a02:cf40:39c1::30", "192.168.79.30", - "2001:502:7094::30" + "2a02:cf40:7094::30" ] }, "ecs": { @@ -17879,7 +17879,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17906,28 +17906,28 @@ ], "ip": [ "89.160.20.156", - "198.7.56.229", - "198.7.56.231", + "216.160.83.59", + "216.160.83.61", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30", - "2001:503:d414::30", + "2a02:cf40:d414::30", "192.168.93.30", - "2001:503:eea3::30", + "2a02:cf40:eea3::30", "192.168.112.30", - "2001:502:8cc::30", + "2a02:cf40:8cc::30", "192.168.172.30", - "2001:503:39c1::30", + "2a02:cf40:39c1::30", "192.168.79.30", - "2001:502:7094::30" + "2a02:cf40:7094::30" ] }, "sysmon": { @@ -18019,7 +18019,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -18043,7 +18043,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -18056,7 +18056,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18084,7 +18084,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -18509,7 +18509,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18517,7 +18517,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18525,7 +18525,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18546,11 +18546,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -18564,7 +18564,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18591,11 +18591,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -18652,7 +18652,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18660,7 +18660,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18668,7 +18668,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18676,7 +18676,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -18692,13 +18692,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -18711,7 +18711,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18738,13 +18738,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -18887,7 +18887,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18895,7 +18895,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18903,7 +18903,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18911,7 +18911,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -18928,13 +18928,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -18948,7 +18948,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18976,13 +18976,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19038,7 +19038,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19046,7 +19046,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19054,7 +19054,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19062,7 +19062,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -19079,13 +19079,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19099,7 +19099,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19127,13 +19127,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19326,7 +19326,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19334,7 +19334,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19351,9 +19351,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -19367,7 +19367,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19397,9 +19397,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -19652,7 +19652,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19660,7 +19660,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19668,7 +19668,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19676,7 +19676,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -19693,13 +19693,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19713,7 +19713,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19741,13 +19741,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19914,7 +19914,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19922,7 +19922,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19930,7 +19930,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19938,7 +19938,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -19954,13 +19954,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -19973,7 +19973,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -20000,13 +20000,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:83eb::30", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -21245,7 +21245,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -21253,7 +21253,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -21261,7 +21261,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:83eb::30", "type": "AAAA" } ], @@ -21274,11 +21274,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:83eb::30" ] }, "ecs": { @@ -21291,7 +21291,7 @@ "code": "22", "created": "2019-07-18T03:49:52.105Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -21320,11 +21320,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:83eb::30" ] }, "sysmon": { diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/dns.log b/packages/zeek/_dev/deploy/docker/sample_logs/dns.log index 01a26e3067..9b3913467f 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/dns.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/dns.log @@ -6,4 +6,4 @@ {"ts":1617105597.390017,"uid":"CkQ7DU1qCEGKL5xgg6","id.orig_h":"10.156.0.2","id.orig_p":42609,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":23824,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false} {"ts":1617105597.389796,"uid":"CfFSjicQIGB8hU7L6","id.orig_h":"10.156.0.2","id.orig_p":52269,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":7284,"query":"portal.swiftcrypto.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["89.160.20.156"],"TTLs":[119.0],"rejected":false} {"ts":1617105597.761449,"uid":"C86PHA3q1KAtU7gAkb","id.orig_h":"10.156.0.2","id.orig_p":41064,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":46754,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.akadns.net"],"TTLs":[250.0,250.0,250.0],"rejected":false} -{"ts":1617105597.761544,"uid":"Cna5vz1pk7Z32m8HZ6","id.orig_h":"10.156.0.2","id.orig_p":33681,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":53055,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","40.126.31.143","89.160.20.156","40.126.31.1","89.160.20.156","40.126.31.135","40.126.31.6","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} +{"ts":1617105597.761544,"uid":"Cna5vz1pk7Z32m8HZ6","id.orig_h":"10.156.0.2","id.orig_p":33681,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":53055,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","1.128.31.143","89.160.20.156","1.128.31.1","89.160.20.156","1.128.31.135","1.128.31.6","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log index a3a633526d..82d4ad43f1 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log @@ -3,6 +3,6 @@ {"ts":1567095830.734329,"uid":"CdiVAw7jJw6gsX5H","id.orig_h":"192.168.86.237","id.orig_p":5353,"id.resp_h":"224.0.0.251","id.resp_p":5353,"proto":"udp","trans_id":0,"query":"_googlecast._tcp.local","rcode":0,"rcode_name":"NOERROR","AA":true,"TC":false,"RD":false,"RA":false,"Z":0,"answers":["bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local"],"TTLs":[120.0],"rejected":false} {"ts":1617105592.091052,"uid":"CpwXdW4LQaJkaIgpk","id.orig_h":"10.156.0.2","id.orig_p":33438,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58036,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[13.0,18.0,8.0],"rejected":false} {"ts":1617105592.973919,"uid":"CO5TE748RoJEZuOThl","id.orig_h":"10.156.0.2","id.orig_p":60444,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":35744,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.akadns.net"],"TTLs":[296.0,287.0,287.0],"rejected":false} -{"ts":1617105592.9742,"uid":"CG1jsmeHcBCGnWXmk","id.orig_h":"10.156.0.2","id.orig_p":44310,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58458,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","40.126.31.143","89.160.20.156","40.126.31.1","89.160.20.156","40.126.31.135","40.126.31.6","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} +{"ts":1617105592.9742,"uid":"CG1jsmeHcBCGnWXmk","id.orig_h":"10.156.0.2","id.orig_p":44310,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58458,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","1.128.31.143","89.160.20.156","1.128.31.1","89.160.20.156","1.128.31.135","1.128.31.6","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} {"ts":1617105593.106256,"uid":"ChP0cl4j5mbXSZ9TGf","id.orig_h":"10.156.0.2","id.orig_p":36364,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":8791,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[12.0,17.0,7.0],"rejected":false} {"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/dns.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json index e3787ffdd3..9a37fb0ac5 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json @@ -482,7 +482,7 @@ "ttl": 243 }, { - "data": "40.126.31.143", + "data": "1.128.31.143", "ttl": 243 }, { @@ -490,7 +490,7 @@ "ttl": 243 }, { - "data": "40.126.31.1", + "data": "1.128.31.1", "ttl": 243 }, { @@ -498,11 +498,11 @@ "ttl": 243 }, { - "data": "40.126.31.135", + "data": "1.128.31.135", "ttl": 243 }, { - "data": "40.126.31.6", + "data": "1.128.31.6", "ttl": 243 }, { @@ -522,12 +522,12 @@ }, "resolved_ip": [ "89.160.20.156", - "40.126.31.143", + "1.128.31.143", "89.160.20.156", - "40.126.31.1", + "1.128.31.1", "89.160.20.156", - "40.126.31.135", - "40.126.31.6", + "1.128.31.135", + "1.128.31.6", "89.160.20.156" ], "response_code": "NOERROR", @@ -543,7 +543,7 @@ "created": "2020-04-28T11:07:58.223Z", "id": "CG1jsmeHcBCGnWXmk", "kind": "event", - "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"89.160.20.156\",\"40.126.31.143\",\"89.160.20.156\",\"40.126.31.1\",\"89.160.20.156\",\"40.126.31.135\",\"40.126.31.6\",\"89.160.20.156\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", + "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"89.160.20.156\",\"1.128.31.143\",\"89.160.20.156\",\"1.128.31.1\",\"89.160.20.156\",\"1.128.31.135\",\"1.128.31.6\",\"89.160.20.156\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", "outcome": "success", "type": [ "connection", @@ -594,12 +594,12 @@ "prda.aadg.msidentity.com", "www.tm.a.prd.aadg.trafficmanager.net", "89.160.20.156", - "40.126.31.143", + "1.128.31.143", "89.160.20.156", - "40.126.31.1", + "1.128.31.1", "89.160.20.156", - "40.126.31.135", - "40.126.31.6", + "1.128.31.135", + "1.128.31.6", "89.160.20.156" ], "query": "login.microsoftonline.com",